From owner-freebsd-questions@FreeBSD.ORG Fri Jul 25 00:42:10 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 246F31065679 for ; Fri, 25 Jul 2008 00:42:10 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from mail-out4.apple.com (mail-out4.apple.com [17.254.13.23]) by mx1.freebsd.org (Postfix) with ESMTP id 0B2848FC13 for ; Fri, 25 Jul 2008 00:42:09 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from relay14.apple.com (relay14.apple.com [17.128.113.52]) by mail-out4.apple.com (Postfix) with ESMTP id 4A019358A251; Thu, 24 Jul 2008 17:42:05 -0700 (PDT) Received: from relay14.apple.com (unknown [127.0.0.1]) by relay14.apple.com (Symantec Mail Security) with ESMTP id 351BB28088; Thu, 24 Jul 2008 17:42:05 -0700 (PDT) X-AuditID: 11807134-aba04bb000000ece-aa-4889215dac49 Received: from cswiger1.apple.com (cswiger1.apple.com [17.227.140.124]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by relay14.apple.com (Apple SCV relay) with ESMTP id 142462802F; Thu, 24 Jul 2008 17:42:05 -0700 (PDT) Message-Id: <40515BC3-EB63-4A74-9A4F-B91A6C1D1B4D@mac.com> From: Chuck Swiger To: Norberto Meijome In-Reply-To: <20080725101242.64fdabc1@ayiin> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v928.1) Date: Thu, 24 Jul 2008 17:42:04 -0700 References: <20080725101242.64fdabc1@ayiin> X-Mailer: Apple Mail (2.928.1) X-Brightmail-Tracker: AAAAAA== Cc: FreeBSD Questions ML Subject: Re: [OT ? ] getting stats out of network capture X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jul 2008 00:42:10 -0000 Hi-- On Jul 24, 2008, at 5:12 PM, Norberto Meijome wrote: > I'm interested in knowing the application level RTT for a HTTP > application - > ie, not from SYN , SYN/ACK ... FIN , FIN/ACK , but from the POST > (http.request > in wireshark) by an app on my side to the response by the server > (http.response). I have no access to either app's code. Try something like this on the webserver or client machine: # tcpdump -ttt -q -n -A tcp port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes 000000 IP 17.227.140.124.49729 > 199.103.21.227.80: tcp 488 E....K@./.%....|.g...A.P.4`...&8...."c..... 9".,....GET /server-status HTTP/1.1 H 001348 IP 199.103.21.227.80 > 17.227.140.124.49729: tcp 1448 E....Y@.@....g.....|.P.A..&8.4b.....J...... ....9".,HTTP/1.1 200 OK ...which indicates a delay of 1.348 ms from the HTTP GET to the HTTP 200 response. This is using the following "delta timestamp" mode; -ttt Print a delta (in micro-seconds) between current and previous line on each dump line.) If you use tcpdump -w to save the packets captured to a file for analysis, you can feed it to net/tcpflow port to reconstruct this into individual flows, which will make it easier to figure out if your traffic starts getting interleaved. Regards, -- -Chuck