This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

response time - single src ip, multiple dst ip addresses

0

I have a trace with a single source ip address talking to several destination ip addresses. I need a report or graph that shows the http response times for the source going to each dest ip. I need to know who the fastest and slowest servers are when communicating with this ip address. How can I do this? Thank you.

asked 22 Feb '12, 22:11

jacob600's gravatar image

jacob600
1111
accept rate: 0%


One Answer:

2

It isn't very easy but it can be done.

You need to divide up your HTTP traffic into separate TCP streams and then report on each of them. This is because we are are going to use the ability for wireshark to calculate and display times (deltas) between displayed packets. This only works if you have a single TCP stream in the display.

  1. Identify all of the HTTP conservations. You could use just the "http" display filter, but if you want to specific, you could use http.host == "the.host.com". (Of course this will be the host in the HTTP headers of the request - which may or may not be the same as the URL of the initial HTTP fetch). To be more general you can use a filter like "http.host contains bbc"
  2. Then use the Statistics->Conversations->TCP, and check limit to display filter, to see all of the conversation to the TCP host.

  3. Then select a TCP stream of interest and follow it, or apply as a display filter. You then need to append a "&& http" again to that particular stream. This way you will only see http requests and responses - not individual frames. HTTP requests and responses

  4. You then will want to use that display filter (copy it) in the IO Graphs. In the IO Graph Filter, use the TCP stream filter anded with the http.response. For instance "tcp.stream eq 155 && ( http.response)". In the Y axis Unit, select Advanced... Then the Calc: field select MAX (or AVG or MIN), and the field will be 'frame.time_delta_displayed'. You may also want to change the Tick Interval.Setting up graph

  5. As the response times are quite discrete, I would change the Style to FBar.

Note that because by default Wireshark will reassemble multiple TCP segments, displaying the last frame in the response, your default response graph will show the Response Time for the last byte (or at least the last frame). If you want the response time for the first byte (which gives you a better idea of the server processing time, and doesn't include the delay in streaming the whole response), you may want to go into your Preferences->Protocols->HTTP and turn off reassembly. Note that if you do this you should use the filter "http.request && http.response" rather than just "http" to avoid seeing all the in-between frames.

You can see the difference here in the following two graphs (from Australia to the BBC web site for images)

BBC - Response Time to Last Byte

BBC - Response Time to First Byte

answered 23 Feb '12, 02:58

martyvis's gravatar image

martyvis
8911525
accept rate: 7%

edited 23 Feb '12, 03:11