This is a static archive of our old Q&A Site. Please post any new questions and answers at

Tshark HTPP Jitter Statistics Capabilities Question



My question is simply what are the capabilities of specifically tshark or even wireshark for the ability to analyze pcap files finding jitter? I have seen various posts for VOIP or RTP jitter but none for HTTP. Also, I was also wondering how most people capture latency within a pcap file using the TCP protocol. So far my solution to that problem has been finding the difference in time between next TCP sequence data packets coming from the HTTP server.

Thanks in advance for any comments or advice,


asked 28 Aug '15, 07:42

danjoemart's gravatar image

accept rate: 0%

well, there is no (common) definition for jitter in HTTP, so what is your definition? Based on that, we might be able to suggest something.

(28 Aug '15, 07:46) Kurt Knochner ♦

Well, I have been googling around since I wrote this post a couple hours ago and I found this filter "tcp.analysis.ack_rtt". Basically, I am just trying to do some kind of analysis on "general network rtt" so I have some kind of idea of the network latency. From there I was hoping I could get some idea of what the jitter is so perhaps I could add a "http" filter. Without googling what jitter means my idea of jitter is the fluctuation of network latency on a stream over time.

Basically the whole point of what I am doing is I am trying to measure network latency for video traffic which flows over http under extreme network load. In my tests I am saturating the network with Iperf UDP traffic and I am trying to figure out how I can view how the cameras are behaving. One very important statistic I am trying to find is jitter and latency. Hope that helps. I think I am getting closer to an answer now.

Thanks again,


(28 Aug '15, 09:07) danjoemart

One Answer:


my idea of jitter is the fluctuation of network latency on a stream over time.

O.K. if you want to measure latency, you'll have to do that at two points in parallel, with high precision clocks. One in front of the sender and one in front of the receiver. Then compare both capture files to calculate the delta of the frame timestamps and create a graph or something based on that information.

It's easy for Wireshark to calculate jitter for RTP, because there are timestamps in the RTP payload, which can be used.

Unfortunately, you don't have timestamps in (regular) TCP frames, so the only thing you can do is what I described above. Unfortunately (again), there is no support whatsoever for that in Wireshark/tshark, so you'll have to use a script (Perl/Python/Brainfuck/Whatever), to parse the output of tshark and to do the calculation of frame time delta.

See my answer to a totally different question for an idea how you could use tshark and Perl for your task.


answered 28 Aug '15, 09:25

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

Hey Kurt,

Thanks for your help and the information you provided does seem to make sense as it does seem like what you said is the correct way to setup your environment to get very accurate data with precision.

However, my tests have already completed and I cannot redo it. I only have my result pcap data.

My main question for you is, how reliable and accurate would the data be if I used the tcp.analysis.ack_rtt filter? I already have a script that goes through my pcap files and extracts those time differences and the data to me seems like it provides a good sense as to what the latency looks like. It would be nice to have a second opinion.

Thanks in advance, Joe

(31 Aug '15, 13:14) danjoemart