Other Articles:
• Catching
the Lovsan Worm in Action [PDF]
• Time is of the Essence
• The Wonderful Thing About Triggers...
[PDF]
• The Pain of Gnutella
• About the 2301 Traffic
• 10 Cool Things You Can Do with the EtherPeek
Demo [PDF]
• Basic Packet Filtering [PDF]
• Advanced Packet Filtering [PDF]
• Looking at the Sniffer Dashboard [PDF]
• TrenchTime: Ports to Watch
• Did Your Know: Wireless Networks are Not Immune
to Sniffing? [PDF]
• The 10 Truths of Network Troubleshooting
[PDF]
• Carnivore? [PDF]
• Sniffer: Using the Capture Panel [PDF]
Time is of
the Essence
by Laura Chappell
 If
you’ve ever resized your analyzer’s summary window
to move those pesky time columns out of sight – stop!
Those columns can help you evaluate performance and spot some
serious network errors.
There are there basic
time values associated with each packet in a trace file:
• Relative time
•
Delta time (a.k.a. Interpacket Time)
• Absolute
time |
Relative Time
The relative time column
indicates when a packet arrived relative to the first packet
in the trace buffer. If you have ‘marked’ another
packet, your relative time column is based on the time since
that marked packet arrived.
When I am reviewing a
trace of a specific process such as logging in, I can determine
the entire time required by the process by looking at the
last packet and checking its relative time value.
In some cases, I’ll
mark a specific packet in a trace (such as the Active Monitor
Present packet on a Token Ring network) and then look at how
much time passes between that packet and the next packets.
In the case of the Token Ring network, I might look at the
time between AMP packets to determine the status of the ring
poll process.
Delta time (a.k.a. Interpacket Time)
The delta time (also
referred to as the Interpacket Time) is the time between packets
(or, more accurately this value is defined as the time from
the end of one packet to the end of the next packet since
most analyzers don’t subtract the actual receiving time
of the packet).
I can also determine
the roundtrip latency time when I look at a request packet
and examine the delta time value between the request and response
packets. Figure 1 illustrates how this column can help troubleshoot
network communication problems.
In
Figure 1, we are examining a client login process –
we can see several sudden increases in the communication sequences
between 10.57.0.164 and the other devices on the network –
3 second interval, 6 second interval and finally an 11+ second
interval between repeated UDP transmissions. There never appears
to be a response of any type (it appears the client application
has a 'retry' mechanism that transmits packets at approximately
6, 6, and 11 second intervals). Ugh. This is a bad day for
this client.
Figure 1: Examining the delta
time value indicated a sudden lock-up at a client.
When we examined this
process further, we could see a consistent series of delays
when a specific process occurred. The delta time value was
the first visible evidence of a consistent problem based on
a communication fault.
Absolute Time
Finally, we have the
absolute time value - the simplest value of all. The absolute
time field indicates when a packet arrived based on the date/time
of the analyzer system. This is especially useful when you
have set up a triggered capture for the middle of the night.
When you review the trace file, you can see the exact time
that a packet arrived, even though you weren’t there
to catch it.
Make the most of your
analyzer and use then various time value columns help characterize
and troubleshoot network communications.
Got other ideas for articles/documentation
or training? Send email directly to Laura at lchappell@packet-level.com.
Laura Chappell
Sr. Protocol Analyst
Copyright 2000 Protocol Analysis Institute, L.L.C.
Other Articles:
• Catching
the Lovsan Worm in Action [PDF]
• Time is of the Essence
• The Wonderful Thing About Triggers...
[PDF]
• The Pain of Gnutella
• About the 2301 Traffic
• 10 Cool Things You Can Do with the EtherPeek
Demo [PDF]
• Basic Packet Filtering [PDF]
• Advanced Packet Filtering [PDF]
• Looking at the Sniffer Dashboard [PDF]
• TrenchTime: Ports to Watch
• Did Your Know: Wireless Networks are Not Immune
to Sniffing? [PDF]
• The 10 Truths of Network Troubleshooting
[PDF]
• Carnivore? [PDF]
• Sniffer: Using the Capture Panel [PDF]
|
