Wireshark-users: Re: [Wireshark-users] Comparing Capture Files from Multiple Locations

From: Sake Blok <sake@xxxxxxxxxx>
Date: Fri, 10 Oct 2008 00:37:13 +0200
On Thu, Oct 09, 2008 at 02:49:31PM -0700, Barry Constantine wrote:
> 
> One question though; what happens when there is variable latency in the
> link (congestion), it would seem that a fixed time offset would cause
> packets to be ordered in correctly.
> 
> Or am I looking at this the wrong way?

Nope, you're looking at it in exactly the right way. But I did not
want to get things more complicated than necessary first :-)

If there is variable latency, then averaging won't do us any good. But
for every packet for which we know in which direction it flowed, we
can calculate the minimum correction needed so that the packet won't
travel back in time after applying the correction. If we list all these
minimum corrections for packets in each direction, there will be a 
small empty interval where we did not find any correction values. This
gap represents the minimum RTT of the connection and picking a
correction value in the middle of this gap will give quite good 
results :-)

Of course you can script this behavior, for an example on how to do
this, have a look at example 7 of my Sharkfest presentation:

http://www.cacetech.com/SHARKFEST.08/D01_Blok_Advanced%20Scripting,%20Command%20Line%20Usage%20with%20tshark.ppt

Cheers,
    Sake