Wireshark-users: [Wireshark-users] tcp.analysis.ack_rtt - Unexpected short TCP RTT

From: "Francis-CM Chan" <francis-cm_chan@xxxxxxxxxxxxxxxxxxxxx>
Date: Sat, 13 Jun 2009 10:32:41 +0800
Hi,

Currently, I am studying the latency between a typical internet use and
a online game server. I use the tcp.analsyis.ack_rtt to extract
information for analysis. Here is my command line:

tshark -Tfields -E header=y -e frame.number -e frame.time_relative -e
ip.src -e tcp.flags -e tcp.analysis.acks_frame -e tcp.analysis.ack_rtt
-r tcp.analysis.ack_rtt.pcap > tcp.analysis.ack_rtt.txt

The attached capture file is a short extraction of the TCP dialog
between the 2 end points (user 192.168.1.102 and server
202.123.175.210). The monitoring point was at the user side made
possible by inserting an Extreme switch with a mirroring port
configured. The capturing machine is an IBM X61 notebook running WinXP.

I understand that I should use the tcp.analysis.ack_rtt for the
direction 202.123.175.210->192.168.1.102 (i.e. ip.src ==
202.123.175.210) for the measure of the rtt of the communication link.
However, to my surprise, I get extraordinary short measure for some
specific cases. For example, frame 13, 16, 39, 52.

Can any expert help to explain what is going on, or do I
misunderstanding something? If my concept is right, would it be
something wrong with the capturing environment?

Regards,
Francis Chan

=========== output from tshark ================

frame	frame.time	ip.src			tcp.flags
tcp.analysis.acks_frame	tcp.analysis.ack_rtt
1	0		202.123.175.210	0x18		
2	0.139957	192.168.1.102	0x10	1	0.139957
3	0.331267	202.123.175.210	0x18	2	0.19131
4	0.44172		192.168.1.102	0x10	3	0.110453
5	0.510189	202.123.175.210	0x18	4	0.068469
6	0.643078	192.168.1.102	0x10	5	0.132889
7	0.813951	202.123.175.210	0x10	6	0.170873
8	0.823548	202.123.175.210	0x10		
9	0.823555	192.168.1.102	0x10	8	0.000007
10	0.903789	202.123.175.210	0x10	9	0.080234
11	0.913734	202.123.175.210	0x10		
12	0.913891	192.168.1.102	0x10	11	0.000157
13	0.92357		202.123.175.210	0x10	12	0.009679
14	0.993972	202.123.175.210	0x10		
15	0.993979	192.168.1.102	0x10	14	0.000007
16	1.003893	202.123.175.210	0x10	15	0.009914
17	1.004383	202.123.175.210	0x18		
18	1.004389	192.168.1.102	0x10	17	0.000006
19	1.30019		202.123.175.210	0x18	18	0.295801
20	1.447811	192.168.1.102	0x10	19	0.147621
21	1.580027	202.123.175.210	0x18	20	0.132216
22	1.749584	192.168.1.102	0x10	21	0.169557
23	1.820187	202.123.175.210	0x18	22	0.070603
24	1.950755	192.168.1.102	0x10	23	0.130568
25	2.220194	202.123.175.210	0x18	24	0.269439
26	2.353105	192.168.1.102	0x10	25	0.132911
27	2.420021	202.123.175.210	0x18	26	0.066916
28	2.554268	192.168.1.102	0x10	27	0.134247
29	2.756383	192.168.1.102	0x18		
30	2.757533	192.168.1.102	0x18		
31	2.820148	202.123.175.210	0x10		
32	2.843951	202.123.175.210	0x10		
33	2.853885	202.123.175.210	0x10		
34	2.857996	192.168.1.102	0x10	33	0.004111
35	2.863548	202.123.175.210	0x10		
36	2.880125	202.123.175.210	0x10	30	0.122592
37	2.953777	202.123.175.210	0x10		
38	2.954035	192.168.1.102	0x10	37	0.000258
39	2.963877	202.123.175.210	0x10	38	0.009842
40	2.972585	202.123.175.210	0x18		
41	2.972592	192.168.1.102	0x10	40	0.000007
42	3.051291	202.123.175.210	0x18	41	0.078699
43	3.157789	192.168.1.102	0x10	42	0.106498
44	3.231312	202.123.175.210	0x18	43	0.073523
45	3.334778	192.168.1.102	0x18	44	0.103466
46	3.334784	192.168.1.102	0x18		
47	3.338861	192.168.1.102	0x18		
48	3.400308	202.123.175.210	0x18		
49	3.430135	202.123.175.210	0x10	47	0.091274
50	3.444544	202.123.175.210	0x10		
51	3.444984	192.168.1.102	0x10	50	0.00044
52	3.446886	202.123.175.210	0x10	51	0.001902
53	3.513886	202.123.175.210	0x10		
54	3.513895	192.168.1.102	0x10	53	0.000009
55	3.52455		202.123.175.210	0x10	54	0.010655
56	3.533878	202.123.175.210	0x10		
57	3.533885	192.168.1.102	0x10	56	0.000007
58	3.583883	202.123.175.210	0x10	57	0.049998
59	3.593878	202.123.175.210	0x10		
60	3.593888	192.168.1.102	0x10	59	0.00001
 

Experience the true Internet.  Right on your mobile. Right now.
www.smartone-vodafone.com

************************************ E-mail Disclaimer ************************************
This e-mail message (together with any attachments) is confidential to the addressee 
and may also be privileged. If you are not the intended recipient, you are hereby notified 
that any dissemination, distribution or copying of this message is strictly prohibited.  
Please also notify the sender immediately by return e-mail and delete it from your system. 
 
Internet communications cannot be guaranteed to be secure or error-free.  
The sender and the entity through which this message is sent therefore do not accept 
liability for errors or omissions as contained in the message and any spreading of viruses 
as a result of Internet transmission.   
 
Any opinions contained in this message are those of the sender personally and would 
not bind any entity unless otherwise clearly stated and with the authority of the sender 
duly verified. 
*******************************************************************************************

Attachment: tcp.analysis.ack_rtt.pcap
Description: tcp.analysis.ack_rtt.pcap