Ask Your Question

Confused by calculated throughput of a burst of packets in Wireshark

asked 2019-07-20 14:45:08 +0000

mst7 gravatar image

updated 2019-07-21 14:05:12 +0000

SYN-bit gravatar image

I am dealing with a problem using Wireshark for a slow performed CIFS conversation:

PC(Client-side) <----------Download------------Server(Windows SMBv2)

But packets captured at Client-side by Wireshark confused me: pcap snapshot

There are 13 consecutive packets, with the same size of 1514, arrived from Server-side with high frequency.

First packet's timestamp is 3.838928, the last one is 3.838934, all of the 13 packets been transferred only for 0.000006s(3.838934-3.838928)

After my calculation, the throughput is (1514 Byte*13)/0.000006s = 3,280,333,333 ≈ 3GBps ≈ 24Gbps.

Although the Server-side has a 10GE interface, the Client PC only has a 1Gbps 1000BASE-T link, how does it happen?

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted

answered 2019-07-21 14:03:57 +0000

SYN-bit gravatar image

Welcome to the wonderful internals of packet-capturing. When you use Wireshark to capture, the libpcap (or WinPcap/Npcap on windows) is used to read the packets, timestamp them and write them to disk. This means the following things occur in order (this is my interpretation of the internal process to explain your finding, it might not be 100% correct):

  1. packet is received by the network interface card (NIC)
  2. the NIC issues an interupt so the OS knows there is data to collect
  3. the scheduler of the OS will decide when the packet is read from the NIC
  4. the packet is read from the NIC by the OS
  5. the packet is also read by libpcap
  6. libpcap applies the BPF packet filter, if the filter does not match, it will skip the rest of these steps
  7. libpcap copies the packet from kernel-space to user-space
  8. libpcap creates a packet-header with a timestamp
  9. libpcap writes the packet to disk

As there is some time between step 1 and step 4, there is a big chance some more packets arrived in the mean time. Once libpcap gets to read the packets and timestamp them, it has no knowledge about the times the packets were actually received, it can only use the current time as the timestamp for each packet, and therefor the real delta time between the packets is lost and the timestamps in the pcap file are just an approximation.

If you need more accurate timestamps, you will need to use a network card or external device that is specifically made for packet capturing and has the ability to timestamp the packet as soon as it is received.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2019-07-20 14:45:08 +0000

Seen: 77 times

Last updated: Jul 21