Ask Your Question
0

Using tshark to work out Elapsed time for HTTP Response

asked 2019-05-29 18:51:19 +0000

pmqs gravatar image

I need to automate the extraction of the start & end times for a series of HTTP Responses in a pcap.

Using tshark I can use the boolean field http.response to flag the start of the Response and record the frame.time_relative.

The part that looks like it needs more effort is getting the time for the frame that marks the end of the HTTP Response. I think I will need to maintain some history whilst scanning the pcap a frame at a time whilst filtering on the tcp.stream. If I encounter a new HTTP Request in the same tcp.stream (or the end of the file), the the time of the last response path frame for the tcp.stream gives me the end time for the response.

Does that sound correct, or is there an easier way to achieve the same thing with tshark or any of its command-line siblings?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-05-29 21:34:33 +0000

SYN-bit gravatar image

Have a look at the transum dissector. It calculates (amongst others):

  • Time to first byte (server response time) as transum.st
  • Time to last byte (network transfer time) as transum.rspspread

And there are other transum fields that give insight in request/response transactions. The field names are not always intuitive, but it's not difficult to figure it out.

Oh, you do need to enable the transum dissector first, as it is disabled by default. (can be done at: Analyze -> enabled protocols -> search for transum -> enable)

edit flag offensive delete link more

Comments

Thanks - will have a look at that.

I need this to run via tshark - found Batch Processing with Tshark so that should be ok.

Looking at the Limitations section of the transum user guide it says it supports HTTP, but the fine print says

The APDUs within a stream follow a request-response-request-response pattern; we call this a 
flip-flop mode of operation
...
Therefore, if we look at a single TCP stream and we see two requests followed by two response, the 
Generic TCP Function cannot currently accurately calculate the RTE values.

Problem is the HTTP traffic I'm analyzing may use pipelining. That breaks that flip-flop model that transum needs.

Will have a play with it & see how it goes.

pmqs gravatar imagepmqs ( 2019-05-30 07:38:22 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-05-29 18:51:19 +0000

Seen: 875 times

Last updated: May 29 '19