Ask Your Question
0

Can't get a momentary traffic throughput column by dividing TCP segment length by elapsed time

asked 2024-10-30 10:04:52 +0000

lukasl1991 gravatar image

updated 2024-10-31 02:54:17 +0000

Guy Harris gravatar image

Hi all,

I try to visualize the momentary throughput of a TCP connection in a custom column, just to get an idea of how latency effects throughput. If I understood correctly, this should be achieved by tcp.len / tcp.analysis.ack_rtt or maybe by tcp.len / tcp.time_delta. Both expressions are not accepted by Wireshark. I assume because the denominator may be zero? Generally, division works, e.g. tcp.len / ip.len works.

Do you have any idea how I can make this work?

Regards, Lukas

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2024-10-30 17:19:55 +0000

Chuckc gravatar image

updated 2024-10-30 17:21:51 +0000

(screenshots from Version 4.4.1 (v4.4.1-0-g575b2bf4746e) on Windows)
I can't confirm that your calculation assumptions are valid but can explain why the column doesn't work.
It would help if there was an error message/popup explaining why the entry field is invalid (red). image description

The Wireshark Display Filter Reference: Transmission Control Protocol shows the field types:

tcp.len                 TCP Segment Len                        Unsigned integer (32 bits)

tcp.analysis.ack_rtt    The RTT to ACK the segment was                  Time offset
tcp.time_delta          Time since previous frame in this TCP stream    Time offset

Error message displayed in status line:

image description

Error message when opening expert info table:

image description

The error message displayed with tshark:

C:\tshark -r ./"The Ultimate PCAP v20200224.pcapng" -2 -R "tcp.len / tcp.analysis.ack_rtt"
tshark: FT_UINT32 and FT_RELATIVE_TIME are not compatible.
    tcp.len / tcp.analysis.ack_rtt
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

There is no mechanism to "cast" fields in the filter language.

You could create a new field (and do all the casting/calculations) in a Lua plugin.
(WSDG: Chapter 10. Lua Support in Wireshark)

edit flag offensive delete link more

Comments

Or we could make Wireshark support dividing a numeric value by a "relative time" (which really means "not-necessarily-integral number of seconds") value, yielding a "per second" value.

Guy Harris gravatar imageGuy Harris ( 2024-10-30 18:47:22 +0000 )edit

Thanks for that explanation @Chuckc. I'll check the Lua stuff. @Guy, sounds great! Would be nice if that's feasible for you.

lukasl1991 gravatar imagelukasl1991 ( 2024-10-30 19:07:01 +0000 )edit
1

@Guy, sounds great! Would be nice if that's feasible for you.

It should be feasible for the Wireshark developers, although it might require changing the way the part of libwireshark (used by both Wireshark and TShark) implements those expressions. Please file a feature request on the Wireshark issue list.

Guy Harris gravatar imageGuy Harris ( 2024-10-31 02:52:43 +0000 )edit

@Chuckc, regarding my calculation: When tcp.len is the amount of tcp payload then the respective segment "transported" tcp.len bytes over the network. And when the tcp.analysis.ack_rtt ("The RTT to ACK the segment was") is the time it took to ACK that data then their quotient is the momentary throughput (if this was the only segment). Or am I wrong?

lukasl1991 gravatar imagelukasl1991 ( 2024-11-04 14:12:20 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2024-10-30 10:04:52 +0000

Seen: 52 times

Last updated: Oct 31