When I look at a TCP connection I see that nearly every ACK packet is used to transmit data to the other side which is perfectly fine. So in theory every sent packet should get an ACK, right? So far so good. But why does Wireshark not calculate the RTT time for every ACK packet? Not that it looks wrong, quite the opposite. But I would like to understand when Wireshark does calculate the RTT? Only for ACK packets with Len 0 (not always the case) or can it detect that multiple packets are ACKed by a delayed ACK? Below is a typical ACK packet shown which should? have a calculated RTT time. Are RTT times in general useful or are they more confusing when Delayed ACKs are enabled for a socket? I am having a hard time to identify latency issues in the 200ms region where I have tons of 200ms RTT packets on some sockets. This makes it quite hard to identify latency issues in an application if high RTT times are so common. A much more reliable sign of bad network are TCP Retransmits and Duplicate Acks. But RTT should be also helpful here. asked 21 Jun '14, 15:31  akraus1 |
One Answer:
Actually, no. That's not the case. See the answer(s) to the following question for a brief explanation why: http://ask.wireshark.org/questions/33897/how-much-data-for-each-ack
well, it does calculate the RTT for every 'valid' ACK, as far as I can see in the code (however: I did not look very thoroughly!).
As I said: it calculates the RTT for every 'valid' ACK (not out-of order, not retransmission, etc.). BTW: It's not the case, that Wireshark does not use the piggy-packed ACKs for RTT calculation. I have example captures, where you can see that. I guess, that in your example, the 'piggy-packed' ACK is for a frame that has been ACKed before. I can tell you for sure, if you post your capture file somewhere (google drive, dropbox, cloudshark.org).
So, to answer your question: Yes, RTT values are helpful, but are only one piece of the puzzle. Regards answered 21 Jun '14, 17:05  Kurt Knochner ♦ |
Thanks for Kurt taking the time to give the right backgound.
Packet 535 requests some http data from a server. The server Acks it in packet 847 0,2s later which Wireshark correctly shows as RTT. Now the server sends more data with the same ACK number 4312 in packet 948 which shows no ACK number because this ACK number was already ACKed by our client. If we would calculate the RTT of this one we would end up with an RTT of over 400ms which is very suspicious but this includes the server processing time and not anything related to the TCP stack.
The reason why I was calculating this number is that I wrote a tool to calculate the RTT times of tcp packets on the fly without capturing the complete network traffic and only generating messages when the RTT reaches a certain threshold. To verify the numbers I have used Wireshark but my calculations were not correct all the time. TCP is quite complex after all but thanks to Wireshark I now have a pretty good understanding how TCP works.
Good!