This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capturing http response delays

Can someone tell me how I set this up for capture? I'm trying to discover delayed http responses to http requests from a particular PC on our LAN. It's IP address is 192.168.1.73. I don't know the web server's address yet but I will in a minute so we can just make one up for now for this discussion.

delay http response

asked 19 Jul '13, 11:33

WineGeek
11●1●1●2
accept rate: 0%

One Answer:

I would do it this way.

Display filter: ip.addr eq 192.168.1.73 and (http.request or http.response)

Then set the Time column to the following format

View -> Time Display Format -> Seconds Since Beginning of Capture

As the client is also able to send several requests at the same time (in different TCP connections) you need to check the TCP Stream number as well. For this purpose, please add a new column in the GUI for the tcp.stream value. Here is how to do this

Edit -> Preferences -> User Interface -> Columns

Add a column called "TCP Stream". Then choose Custom as type and tcp.stream as value.

GUI column preferences

Then sort the GUI by the "TCP Stream" column.

GUI

Then use a Time Reference (CTRL-T in the GUI) for easy delta time calculation between request and response. As you can see the 'delay' (delta) between request and response is 2.144 seconds for the first request and 0.2605 for the second request.

You can also use tshark with some scripting:

tshark -nr input.pcap -R "ip.addr eq 192.168.1.73 and (http.request or http.response)" -T fields -e frame.number -e frame.time_relative -e ip.src -e ip.dst -e tcp.stream -e http.request.full_uri -e http.response.code -e http.response.phrase

Regards
Kurt

answered 22 Jul '13, 06:33

Kurt Knochner ♦
24.8k●10●39●237
accept rate: 15%