This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to filter Inter Packet Arrival time

0

Hi,

in the wireshark trace I can see column- Delta time which is Inter Frame time at Layer 2. I want separate column which shows Inter Packet Arrival Time at Layer 3. Can somebody help me how to calculate or add filter as Inter Packet Arrival time.

RGDS Sudharshan

asked 15 Mar '14, 06:16

sudharshan's gravatar image

sudharshan
11112
accept rate: 0%

edited 15 Sep '14, 22:33

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

1

There is only 1 timestamp associated with every frame(=packet) and it is not necessarily time that Layer 2 saw it. In some trace formats you don't even have Layer 2 information (raw-ip).
So I'm not sure what you are trying to achieve. Do you want to trace the delays within DLC and IP layer of the traced stack?

(15 Mar '14, 12:02) mrEEde

I am working on a project where I need to find Inter Packet Arrival time at Layer3. Pls enlighten me if the Delta Time column in Wireshark is same as the Inter Packet Arrival time at Layer3.

(15 Mar '14, 12:09) sudharshan

[re-submitting this comment as it was lost in translation]

No it isn't. The delta time is the time between frames. So for example, if you had frames #1 and #3 with IP packets, but frame #2 with a DHCP or ARP packet, then the delta time displayed in frame #3 would be relative to #2, not #1. (and this is assuming you want the delta time between any two layer-3 packets, as opposed to the time between two IP packets of the same source/dest addresses and TCP/UDP ports)

(Oh, and the answer is 42)

(15 Mar '14, 13:32) Hadriel

2 Answers:

1

I don't know much about all you can do with Columns. I know you could do it with a Lua script, but I'm guessing there's some way to do it without that. I was going to suggest the Delta Time (conversation) one, but that appears to do nothing on my system.

answered 15 Mar '14, 12:37

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

Hi Hadriel,

thats my problem. I need to find Inter Packet Arrival time not the Inter Frame Time from the Wireshark Trace. Can you suggest any solutions to get Inter Packet Arrival Times.

(15 Mar '14, 12:28) sudharshan

BTW, did you delete your previous answer and my comment to it?? You shouldn't delete previous comments, because it loses the context of the discussion. (other people may view this question/answer thread someday)

I'm actually surprised this system let you delete someone else's comments.

(15 Mar '14, 12:38) Hadriel

Hi Hadriel,

I didnot delete anything. Infact I am surprised I could not see your previous comment here too, I have replied by seeing my mail alert. it seems some problem.

(15 Mar '14, 12:42) sudharshan

@sudharshan: I converted your answer to a comment of your own question. Please read the FAQ how this site works. In short: Don't add yourself answers, add comments to the answers of others.

UPDATE: Maybe I moved the answer of @sudharshan, while @Hadriel was commenting on it. Maybe that deleted the comment of @Hadriel.

(15 Mar '14, 13:09) Kurt Knochner ♦

@Kurt: we're talking about a different answer+comment that's disappeared somehow - it's not been converted, but just gone altogether. (I'm not sure if you were referring to the missing answer+comment, or the answer+comments that you just converted a minute ago that are still here but are now properly done)

(15 Mar '14, 13:14) Hadriel

@Hadriel: I converted an answer of @sudharshan, which is now the second comment of the original question. Did you comment on that? If so, your comment probably got lost during the answer -> comment conversion, if I converted it, while you wrote the comment.

(15 Mar '14, 13:16) Kurt Knochner ♦

Hi Hadriel, Thanks

Can you suggest me how to do with Lua Script or any alternative solutions.

(15 Mar '14, 13:26) sudharshan

@Kurt: yup that was it - the second comment of the original question was an answer previously, which I commented on. (I would have converted it myself before commenting, but I think that's only possible for the admins like you)

No biggie anyway. I was just curious what happened. It's too bad though - my comment answered the question of life, the universe, and everything. ;)

(15 Mar '14, 13:27) Hadriel

@Hadriel: You should be able to do it yourself with a certain amount of Karma points (not sure how many you would need - see the FAQ).

(15 Mar '14, 13:30) Kurt Knochner ♦

@Kurt: huh, I had not realized that. It looks like I could do it once I reach 400... I'm at 366 right now - so tantalizingly close to wielding ultimate power! Muwhahaha!

(15 Mar '14, 13:37) Hadriel

Oh no. What have I done .... ;-)

(16 Mar '14, 05:05) Kurt Knochner ♦
showing 5 of 11 show 6 more comments

0

How about this: add a column for "Delta Time displayed". Then set your display filter to "ip" (assuming that's the layer-3 protocol you're interested in). That would now only display IP packets, and thus the delta time shown is their IPG.

answered 15 Mar '14, 13:45

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

Thank you Hadriel for your smart solution. I will have a check on this.

(15 Mar '14, 16:34) sudharshan