Plot RTT histogram using wireshark or other tool

Question

I have a little office network and I'm experiencing a huge internet link latency. We have a simple network topology: a computer configured as router running ubuntu server 10.10, 2 network cards (one to internet link, other to office network) and a switch connecting 20 computers. I have a huge tcpdump log collected at the router and I would like to plot a histogram with the RTT time of all TCP streams to try to find out the best solution to this latency problem. So, could somebody tell me how to do it using wireshark or other tool?

Answer 1

Wireshark or tshark can give you the TCP RTT for each received ACK packet using tcp.analysis.ack_rtt which measures the time delta between capturing a TCP packet and the ACK for that packet.

You need to be careful with this as most of your ACK packets will be from your office machines ACKing packets received from the internet, so you will be measuring the RTT between your router seeing the packet from the internet and seeing the ACK from your office machine.

To measure your internet RTT you need to look for ACKS from the internet (ACKing data sent from your network). Assuming your office machines have IP addresses like 192.168.1.x and you have logged all the data on the LAN port of your router you could use a display filter like so:

tcp.analysis.ack_rtt and ip.dst==192.168.1.255/24

To dump the RTTs into a .csv for analysis you could use a tshark command like so;

tshark -r router.pcap -Y "tcp.analysis.ack_rtt and ip.dst==192.168.1.255/24" -e tcp.analysis.ack_rtt -T fields -E separator=, -E quote=d > rtt.csv

• The -r option tells tshark to read from your .pcap file
• The -Y option specifies the display filter to use (-R without -2 is deprecated)
• The -e option specifies the field to output
• The -T options specify the output formatting

You can use the mergecap utility to merge all your pcap files into one one file before running this command. Turning this output into a histogram should be easy!

Answer 2

Here's the 5-min perlscript inspired by rupello's answer:

#!/usr/bin/perl

# For a live histogram of rtt latencies, save this file as /tmp/hist.pl and chmod +x /tmp/hist.pl, then run:
# tshark -i wlp2s0 -Y "tcp.analysis.ack_rtt and ip.dst==192.168.0.0/16" -e tcp.analysis.ack_rtt -T fields -E separator=, -E quote=d  | /tmp/hist.pl 
# Don't forget to update the interface "wlp2s0" and "and ip.dst==..." bits as appropriate, type "ip addr" to get those.

@t[$m=0]=20;
@t[++$m]=10;
@t[++$m]=5;
@t[++$m]=2;
@t[++$m]=1;
@t[++$m]=0.9;
@t[++$m]=0.8;
@t[++$m]=0.7;
@t[++$m]=0.6;
@t[++$m]=0.5;
@t[++$m]=0.4;
@t[++$m]=0.3;
@t[++$m]=0.2;
@t[++$m]=0.1;
@t[++$m]=0.05;
@t[++$m]=0.04;
@t[++$m]=0.03;
@t[++$m]=0.02;
@t[++$m]=0.01;
@t[++$m]=0.005;
@t[++$m]=0.001;
@t[++$m]=0;

@h[0]=0;

while (<>) {
 s/\"//g; $n=$_; chomp($n); $o++;
 for ($i=$m;$i>=0;$i--) { if ($n<=$t[$i]) { $h[$i]++; $i=-1; }; };
 if ($i==-1) { $h[0]++; };
 print "\033c"; 
 for (0..$m) { printf "%6s %6s %8s\n",$t[$_],sprintf("%3.2f",$h[$_]/$o*100),$h[$_]; };
}

The newer versions of tshark seem to work better with a "stdbuf -i0 -o0 -e0 " in front of the "tshark".

PS Does anyone know if wireshark has DNS and ICMP rtt stats built in or how to easily get those?

2018 Update: See https://github.com/dagelf/pping