My task is to perform an experiment with RTP packets delays measurement (the traffic is simply streaming music from my server to my PC). I've read a related question (Measure packet delay RTP) and figured out that it's not really possible if I capture the traffic only on my PC, because Wireshark can't calculate delay in such case. So, obviously, I have to capture traffic also on the server-side. It's OK, I can run tshark there for capturing. My question is: what should I do after? How do I merge two captures (local and remote) and how do I pass them to Wireshark to let it calculate delays for me? If I simply merge two pcap's to one file and load it to Wireshark, will it understand that it's the same RTP session captured from two machines and will it be able to calculate packets delays for me? asked 13 Nov '16, 08:02  trixter edited 13 Nov '16, 08:03 |
One Answer:
The simple answer would be "open one of the files, then go to However, you need that the real time clock of your server and your PC are well synchronized, as eventual difference of the two machines' real time clock will skew the result. If everything is on a single LAN, the relative significance of the clock difference may be really high. answered 13 Nov '16, 10:43  sindy edited 14 Nov '16, 10:21 |
There is nothing like that embedded in Wireshark.
If I were to do that, I'd use the good ol' Excel - I'd export packets with the same ssrc from both captures, not merging them together, into csv files, like this:
tshark -r your\file\name.pcapng -Y "rtp.ssrc == 0xyourssrc" -T fields -e rtp.seq -e frame.time_epoch > your\file\name.csvI would then import these files to Excel (with space as separator), use the first columns of both (the rtp.seq values) to properly match the pairs of timestamps and notice eventual lost packets, and let Excel calculate the average of differences between the second columns, leaving out lost packets from the calculation.