Ask Your Question
0

Wireshark equivalent of TSecr?

asked 2020-04-02 20:08:56 +0000

alohawireshark gravatar image

Does Wireshark capture the equivalent of TSecr or provide the information needed to calculate it?

I have read that RTT = Current Time/Actual Time for ACK - TSecr. What field names would these variables correspond to in tshark output, assuming a .pcap input file?

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
0

answered 2020-04-02 21:26:52 +0000

Guy Harris gravatar image

Does Wireshark capture the equivalent of TSecr

If you're referring to the Timestamp Echo Reply field in the TCP Timestamps Option, in Wireshark, the equivalent of the Timestamp Echo Reply field in the TCP Timestamps Option is the Timestamp Echo Reply field in the TCP Timestamps Option.

That field should be displayed in any TCP segment containing that option, assuming the capture wasn't cut short by a "snapshot length" before that field.

What field names would these variables correspond to in tshark output,

The field for the Timestamp Echo Reply field in the TCP Timestamps Option is tcp.options.timestamp.tsecr.

The "actual time" for a given field, to the extent that packet time stamps are reliably indicated by the packet capture mechanism, is the frame.time field, which is the absolute time (and date) when the frame arrived on the machine that captured it. ("Reliably indicated" above means that there may be a delay between the time when the frame arrives at the network adapter and the time when the OS time stamps it, so you probably shouldn't count on nanosecond precision, for example.)

Note, however, that the "timestamp clock" used in the TS Value (TSval) and TS Echo Reply (TSecr) in the Timestamps Option is "simply a monotonically non-decreasing serial number, without any connection to time", so there is NO guarantee that you can subtract its value from any other clock, including the clock used to time stamp a packet. Please read RFC 7323 "TCP Extensions for High Performance" carefully before using the TSval or TSecr values.

assuming a .pcap input file?

The file format is irrelevant, except perhaps for the frame.time field, the resolution of which may depend on the file format.

edit flag offensive delete link more

Comments

Hi. The reason I ask is because my .pcap file doesn’t contain a TSVal or TSecr or tcp.options.timestamp.tsecr field, whereas my .json output does.

alohawireshark gravatar imagealohawireshark ( 2020-04-02 21:33:18 +0000 )edit

So is this JSON output the output of TShark being run with your capture file as input and with the -T json flag?

Guy Harris gravatar imageGuy Harris ( 2020-04-12 20:35:14 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-04-02 20:08:56 +0000

Seen: 369 times

Last updated: Apr 02