If you've ever resized your analyzer's summary window to move those pesky time columns out of sight -- stop! Those...
columns can help you evaluate performance and spot some serious network errors.
There are there basic time values associated with each packet in a trace file:
- Relative time
- Delta time (a.k.a. Interpacket Time)
- Absolute time
The relative time column indicates when a packet arrived relative to the first packet in the trace buffer. If you have 'marked' another packet, your relative time column is based on the time since that marked packet arrived.
When I'm reviewing a trace of a specific process such as logging in, I can determine the entire time required by the process by looking at the last packet and checking its relative time value.
In some cases, I'll mark a specific packet in a trace (such as the Active Monitor Present packet on a Token Ring network) and then look at how much time passes between that packet and the next packets. In the case of the Token Ring network, I might look at the time between AMP packets to determine the status of the ring poll process.
Delta time (a.k.a. Interpacket Time)
The delta time (also referred to as the Interpacket Time) is the time between packets (or, more accurately this value is defined as the time from the end of one packet to the end of the next packet since most analyzers don't subtract the actual receiving time of the packet).
I can also determine the roundtrip latency time when I look at a request packet and examine the delta time value between the request and response packets. Figure 1 illustrates how this column can help troubleshoot network communication problems.
In Figure 1, we are examining a client login process – we can see several sudden increases in the communication sequences between 10.57.0.164 and the other devices on the network – 3 second interval, 6 second interval and finally an 11+ second interval between repeated UDP transmissions. There never appears to be a response of any type (it appears the client application has a 'retry' mechanism that transmits packets at approximately 6, 6, and 11 second intervals). Ugh. This is a bad day for this client.
Figure 1: Examining the delta time value indicated a sudden lock-up at a client.
When we examined this process further, we could see a consistent series of delays when a specific process occurred. The delta time value was the first visible evidence of a consistent problem based on a communication fault.
Finally, we have the absolute time value -- the simplest value of all. The absolute time field indicates when a packet arrived based on the date/time of the analyzer system. This is especially useful when you have set up a triggered capture for the middle of the night. When you review the trace file, you can see the exact time that a packet arrived, even though you weren't there to catch it.
Make the most of your analyzer and use the various time value columns to help characterize and troubleshoot network communications.
Laura Chappell is the Senior Protocol Analyst for the Protocol Analysis Institute. She is the author of numerous books and self-paced courseware available online at www.packet-level.com and www.podbooks.com. Laura also lectures on analysis, optimization and cybercrime. Her course schedule is online at www.packet-level.com.