This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Calculate delta time between duplicate UDP Datagrams

0

Hi Everyone,

I hope there is a solution for this. I have a packet capture from a device's interface that is receiving UDP packets and sending them back out the same interface (there is no physical difference in the payload but there is in the L2 header because the MACs change). I need a report on how much time it takes to my device to process these packets and send them back.

This means I need a feature that can identify the duplicate packets on my file and then calculate the time difference between them. There is a feature called "editcap" that can work with duplicate packets but the only option I see is to delete the duplicates which obviously is not useful to me.

Any ideas?

asked 01 Apr '15, 22:45

ds3010's gravatar image

ds3010
6113
accept rate: 0%

edited 01 Apr '15, 23:21


One Answer:

0

This means I need a feature that can identify the duplicate packets on my file and then calculate the time difference between them.

There is no automatism in Wireshark to do that, however you can use tshark together with a script to do the calculation yourself.

First capture the traffic and store it in traffic.pcap.

Run tshark:

tshark -nr traffic.pcap -Y "port xxxx" -T fields -e frame.number -e frame.time_epoch -e ip.src -e ip.dst -e ip.id -E separator=, -E header=y > output.txt

Then use a script (or a spreadsheet software) to calculate the time delta of frames with the same IP ID.

However: Be aware, that the time stamps in the frames will only reflect the time when the OS (kernel or NIC driver) has seen the frames, so the time delta contains the following parts: dt(application) + dt(IP stack) and you can't determine the value of dt(IP stack). If the difference to dt(application) is large enough, it won't matter, but if your application is really fast, it could be a problem, as you are then measuring the performance of the IP stack instead of your application.

Regards
Kurt

answered 02 Apr '15, 02:25

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%