This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Time Since Request (http.time)

0
1

Hi,

I am trying to get time since request(http.time) value from another application. So I am wondering if that is a standard function on winpcap, or does wireshark calculate it by itself? (and how does it calculate?)

Thanks,

asked 13 Oct '15, 16:23

tarik's gravatar image

tarik
0125
accept rate: 0%

edited 13 Oct '15, 16:24


2 Answers:

3

http.time is, as Christian said, calculated by Wireshark, but it is calculated in different ways, depending on your preference settings.

The client sends a request, let's say a GET request, and for the sake of simplicity, let's assume that the GET request fits in one packet.

The server sends a response, hopefully a "200 OK" response, followed by the data that was requested. The OK response will be in the first packet from the server, followed immediately, in the same packet, by however much of the data will fit. The rest of the data follows in additional packets. So occasionally, the 200 OK and all of the data will be in one packet, but usually the response will span multiple packets with the OK in the first one.

If the TCP preference "Allow subdissector to reassemble TCP streams" is off, the http.time will be the time between the GET request and the first packet of the response, the one containing the OK.

If "Allow subdissector to reassemble TCP streams" is on and the HTTP reassembly preferences have been left at their defaults (on), http.time will be the time between the GET request and the last packet of the response.

answered 14 Oct '15, 06:38

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

1

It is calculated by Wireshark. A value which is calculated by Wireshark itsself could be identified by the brackets []
For example [TCP Segment Len: 1438]
If you scroll over this field with your mouse than you can see in the status bar the real field name. In this case tcp.len
This string tcp.len could be used as an display filter.

answered 13 Oct '15, 16:29

Christian_R's gravatar image

Christian_R
1.8k2625
accept rate: 16%