Plot RTT histogram using wireshark or other tool

不问归期 提交于 2020-01-01 03:20:55

问题


I have a little office network and I'm experiencing a huge internet link latency. We have a simple network topology: a computer configured as router running ubuntu server 10.10, 2 network cards (one to internet link, other to office network) and a switch connecting 20 computers. I have a huge tcpdump log collected at the router and I would like to plot a histogram with the RTT time of all TCP streams to try to find out the best solution to this latency problem. So, could somebody tell me how to do it using wireshark or other tool?


回答1:


Wireshark or tshark can give you the TCP RTT for each received ACK packet using tcp.analysis.ack_rtt which measures the time delta between capturing a TCP packet and the ACK for that packet.

You need to be careful with this as most of your ACK packets will be from your office machines ACKing packets received from the internet, so you will be measuring the RTT between your router seeing the packet from the internet and seeing the ACK from your office machine.

To measure your internet RTT you need to look for ACKS from the internet (ACKing data sent from your network). Assuming your office machines have IP addresses like 192.168.1.x and you have logged all the data on the LAN port of your router you could use a display filter like so:

tcp.analysis.ack_rtt and ip.dst==192.168.1.255/24

To dump the RTTs into a .csv for analysis you could use a tshark command like so;

tshark -r router.pcap -Y "tcp.analysis.ack_rtt and ip.dst==192.168.1.255/24" -e tcp.analysis.ack_rtt -T fields -E separator=, -E quote=d > rtt.csv

  • The -r option tells tshark to read from your .pcap file
  • The -Y option specifies the display filter to use (-R without -2 is deprecated)
  • The -e option specifies the field to output
  • The -T options specify the output formatting

You can use the mergecap utility to merge all your pcap files into one one file before running this command. Turning this output into a histogram should be easy!




回答2:


Here's the 5-min perlscript inspired by rupello's answer:

#!/usr/bin/perl

# For a live histogram of rtt latencies, save this file as /tmp/hist.pl and chmod +x /tmp/hist.pl, then run:
# tshark -i wlp2s0 -Y "tcp.analysis.ack_rtt and ip.dst==192.168.0.0/16" -e tcp.analysis.ack_rtt -T fields -E separator=, -E quote=d  | /tmp/hist.pl 
# Don't forget to update the interface "wlp2s0" and "and ip.dst==..." bits as appropriate, type "ip addr" to get those.

@t[$m=0]=20;
@t[++$m]=10;
@t[++$m]=5;
@t[++$m]=2;
@t[++$m]=1;
@t[++$m]=0.9;
@t[++$m]=0.8;
@t[++$m]=0.7;
@t[++$m]=0.6;
@t[++$m]=0.5;
@t[++$m]=0.4;
@t[++$m]=0.3;
@t[++$m]=0.2;
@t[++$m]=0.1;
@t[++$m]=0.05;
@t[++$m]=0.04;
@t[++$m]=0.03;
@t[++$m]=0.02;
@t[++$m]=0.01;
@t[++$m]=0.005;
@t[++$m]=0.001;
@t[++$m]=0;

@h[0]=0;

while (<>) {
 s/\"//g; $n=$_; chomp($n); $o++;
 for ($i=$m;$i>=0;$i--) { if ($n<=$t[$i]) { $h[$i]++; $i=-1; }; };
 if ($i==-1) { $h[0]++; };
 print "\033c"; 
 for (0..$m) { printf "%6s %6s %8s\n",$t[$_],sprintf("%3.2f",$h[$_]/$o*100),$h[$_]; };
}

The newer versions of tshark seem to work better with a "stdbuf -i0 -o0 -e0 " in front of the "tshark".

PS Does anyone know if wireshark has DNS and ICMP rtt stats built in or how to easily get those?

2018 Update: See https://github.com/dagelf/pping




回答3:


You can use tshark statistics to create a table of all tcp conversations:
$ tshark -r test.pcap -q -z conv,tcp
================================================================================
TCP Conversations
Filter:
                                               |             | |     Total     |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |
192.168.108.2:2720      147.234.1.253:21          28      2306      18      1047      46      3353
147.234.1.253:58999     192.168.108.2:2721         3       170       2       122       5       292
192.168.108.2:2718      147.137.21.94:139          0         0       3       186       3       186
192.168.108.2:2717      147.137.21.94:445          0         0       3       186       3       186
================================================================================

Or use this little script:

for file in `ls -1 *.pcap`
do
   tshark -r $file -q -z conv,tcp > $file.txt
done


来源:https://stackoverflow.com/questions/6962133/plot-rtt-histogram-using-wireshark-or-other-tool

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!