How do I locate the TCP ACK with the highest RTT (Round Trip Time) value in Wireshark? Is there a filter to do this? I tried the graph but I'm not sure how to use it I'm very new to Wireshark. I'm just guessing there is an easier way of finding this information rather than going through every packet. Thank you in advance!
1 Answers
1
votes
The easiest way in Wireshark is probably to:
- Expand the TCP protocol layer in the Wireshark "Packet Details Pane"
- Expand the
[SEQ/ACK analysis] - Right-click on the
[The RTT to ACK the segment was: x.xxx seconds] - Choose "Apply as Column"
- Click the column header to sort low-to-high
- Click the column header again to sort high-to-low
- The first packet at the top now contains the highest RTT
[Optional: Apply a display filter of tcp.analysis.ack_rtt so that only those packets that actually contain the field will be shown.]
You can also do this with tshark and a few other command-line tools. For example, on Linux, the following will yield the RTT and frame number of the packet with the largest RTT:
tshark -r file.pcap -2Y "tcp.analysis.ack_rtt" -T fields -e tcp.analysis.ack_rtt -e frame.number | sort -rn | head -1
