Wireshark Response Time
November 16, 2011 10:43 PM Subscribe
Wireshark filter: How to pair request packets to response packets?
I feel like what I'm trying to do is very simple, but I'm failing nonetheless.
In Wireshark, I want to be able to select a specific request and then somehow find the matching response, and then compare the timestamps between the two of them to determine response time. I'm not interested in average response time as a whole across a whole bunch of requests/responses, I'm only interested in knowing the exact response time for specific requests.
Is this possible?
I feel like what I'm trying to do is very simple, but I'm failing nonetheless.
In Wireshark, I want to be able to select a specific request and then somehow find the matching response, and then compare the timestamps between the two of them to determine response time. I'm not interested in average response time as a whole across a whole bunch of requests/responses, I'm only interested in knowing the exact response time for specific requests.
Is this possible?
Easiest way I can think of is applying a display filter to get rid of everything that isn't the requests and responses you're interested in, then doing it by eye.
If you're talking about HTTP requests and responses, rhizome is probably right about a somewhat less general-purpose tool being somewhat more useful.
posted by flabdablet at 11:33 PM on November 16, 2011
If you're talking about HTTP requests and responses, rhizome is probably right about a somewhat less general-purpose tool being somewhat more useful.
posted by flabdablet at 11:33 PM on November 16, 2011
Response by poster: I've tried using the Follow X Steam feature, and it comes SO close to giving me what I want, but it says nothing about time elapsed between the request and the response.
For example, here is a request for a .gif, which the Web server returns, and Wireshark clearly links the request/response for me in this nice clean window, it just doesn't say anywhere what the response time was.
Also, I can't use something like Firebug, as I'm capturing traffic during a load test. My load testing software is suggesting that certain static assets (e.g., .gif images) are failing to return within 300 seconds, and I want to use Wireshark to confirm this is actually true. So I want to filter by all requests where the URI contains the .gif's file name (which is easy to do) and then, somehow, be able to link each request to its matching response, and determine the elapsed time between the two.
posted by JPowers at 11:40 PM on November 16, 2011
For example, here is a request for a .gif, which the Web server returns, and Wireshark clearly links the request/response for me in this nice clean window, it just doesn't say anywhere what the response time was.
Also, I can't use something like Firebug, as I'm capturing traffic during a load test. My load testing software is suggesting that certain static assets (e.g., .gif images) are failing to return within 300 seconds, and I want to use Wireshark to confirm this is actually true. So I want to filter by all requests where the URI contains the .gif's file name (which is easy to do) and then, somehow, be able to link each request to its matching response, and determine the elapsed time between the two.
posted by JPowers at 11:40 PM on November 16, 2011
Best answer: If Follow TCP Stream works for you to identify the HTTP conversation you want to monitor, try clicking the "Filter Out This Stream". That will return you to the main Wireshark window, with a display filter in effect that looks something like
If you edit out the leading ! then the filter will show you only the packets forming the stream you just followed, rather than removing those packets. From there, it's fairly easy to eyeball-match an HTTP GET with the next HTTP/1.0 200 OK or whatever.
posted by flabdablet at 11:53 PM on November 16, 2011 [3 favorites]
!(tcp.stream eq 11)
If you edit out the leading ! then the filter will show you only the packets forming the stream you just followed, rather than removing those packets. From there, it's fairly easy to eyeball-match an HTTP GET with the next HTTP/1.0 200 OK or whatever.
posted by flabdablet at 11:53 PM on November 16, 2011 [3 favorites]
...and I've just noticed that clicking Close rather than Filter Out This Stream in the Follow Stream window applies the positive form of the filter, immediately showing you only those packets making up the stream you just followed.
posted by flabdablet at 11:57 PM on November 16, 2011
posted by flabdablet at 11:57 PM on November 16, 2011
Also, under View->Time Format there's a "seconds since previous displayed packet" option that will probably be of use to you.
posted by flabdablet at 11:58 PM on November 16, 2011 [1 favorite]
posted by flabdablet at 11:58 PM on November 16, 2011 [1 favorite]
Response by poster: Flabdablet, you rock! Exactly what I was looking for. Thanks so much!
posted by JPowers at 12:07 AM on November 17, 2011
posted by JPowers at 12:07 AM on November 17, 2011
This thread is closed to new comments.
posted by rhizome at 11:26 PM on November 16, 2011