This is our old Q&A Site. Please post any new questions and answers at

I need to calculate the service response time between an appliance (if this is of interest for you: a Google Search Appliance) and our internal SAML identity provider.

There are some restrictions / conditions I have to live with:

  • I can't run a dumper on the appliance itself, neither on the network between the appliance and the IDP or the IDP itself
  • the appliance is able to run tcpdump for me but I can't influence the command line (one exception below)
  • the appliance allows me to enter an ip restriction that it will then send to tcpdump which will then create a .cap file for me which I will then be able to download later
  • the cap file is limited to 1 GB in size (should be sufficient to log a lot of transactions)
  • I am not able to decrypt the traffic because I don't have access to the keys

I read some posts about http response times but this can't be used for http over tlsv1. What looks most promising to me is this: because the SAML process consists of one single https URL being processed I would be able to calculate the response time by calculating time between first packet and last packet. Having a look at an example trace I downloaded it should be possible to "group" all tcp packages that belong to one transaction by using for example eq 4. In addition to this I enabled Edit -> Preferences -> Protocols -> TCP -> Calculate conversation timestamps and added tcp.time_delta and tcp.time_relative to my displayed columns.

The figures of tcp.time_relative for the last package in the transaction look good, this seems to be the time elapsed between first and last packet. I tried a filter like tcp.time_relative > 0.5 but I am not able to express && packet is final packet.

Can you tell me if my approach is correct ? And how to specify the filter ?

asked 29 Jan '15, 06:08

marged's gravatar image

accept rate: 0%

You are on the right track, but there is no filter for the last packet in the TCP stream, so you would need to find another anchor point. Here are some options:

  • If all SAML sessions are closed by a TCP FIN, you can use ip.src==<server-ip> and tcp.flags.fin==1 as anchor
  • If the response from the server fits in one frame, then you could use the ApplicationData packet from the server as anchor with ip.src==<server-ip> and ssl.record.content_type == 23

Hope this helps!

permanent link

answered 29 Jan '15, 09:41

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 29 Jan '15, 06:08

question was seen: 2,930 times

last updated: 29 Jan '15, 09:41

p​o​w​e​r​e​d by O​S​Q​A