On Thu, Mar 12, 2009 at 01:46:03PM -0500, Wynns, Roger [OXFORD] wrote:
> I have a question about how tcp.analysis.ack_rtt is calculated... In the
> documentation(Wikipedia.org) RTT is calculated from the three-way
> handshake but it appears that in Wireshark it is also calculated for each
> ACK. So my question is How is it calculated and is it possible to just
> get the RTT numbers for just the three-way handshake?
Yes, it is calculated for each ACK, but there was some discussion
recently on which packets should contain this field...
> What I am trying to get is the RTT for each port connection that the
> client makes to use as baseline data.
Something like:
tshark -r <file> -R "tcp.flags.syn==1 && tcp.flags.ack==1" -T fields -e tcp.analysis.ack_rtt
will get you a list of the RTT of each SYN/ACK, you might want to add
server IP and port:
tshark -r traces/sharkfest-1.cap -R "tcp.flags.syn==1 && tcp.flags.ack==1" -T fields -e ip.src -e tcp.srcport -e tcp.analysis.ack_rtt
Hope this helps,
Cheers,
Sake