Register for VIP Notification of the next Packet Pub Quiz at https://coreitpros.com/quiz.
This question not only caught a lot of folks in the Packet Pub Quiz, but I've seen a lot of "free Wireshark training" videos get this wrong!!! (Only 35% of people selected the correct answer.) Let's look at the question and go through the answer.
Which Wireshark setting should be disabled to measure response times of TCP-based applications?
a. checksum validation
b. calculate conversation timestamps
c. relative sequence numbering
In my Day 1 Workshop (CORE Packets and Protocols) at the CORE-IT Pros conference, I will be sharing TONS of Wireshark tips and tricks! Join me! Register online at https://coreitpros.com.
CORRECT ANSWER REVIEW
You must turn off TCP's "Allow subdissector to reassemble TCP streams" to correctly measure TCP-based application response time.
"What?" you say! You've never heard of this Wireshark issue/trick?
Let's look at a trace file called "GETjpg.pcapng" to see how TCP's reassembly affects the application response time measurement. In the image below, we are using Wireshark's default setting - TCP reassembly is on.
Note the time from the request in frame 1 to the response in frame 28. Wireshark indicates the time from the request to the response is just over 133ms.
That's not true, however. Wireshark is reassembling the .jpg file being downloaded and putting the HTTP 200 OK response at the end of the .jpg file download. We are actually measuring the time from the request to the end of the file download (frame 28). That's not application response time. That's not where the HTTP 200 OK actually exists.
In the image below, I have disabled the TCP reassembly feature. Now we see the HTTP 200 OK response is actually in frame 3. Wireshark is now measuring from the request to the response. The true application response time is just shy of 76ms.
Imagine how far off the application response time measurements would be when analyzing the download of a large file.
Understanding how to use Wireshark correctly ensures your network troubleshooting and optimization steps provide accurate information.
Wireshark's checksum validation, calculate conversation timestamps, and relative sequence numbering settings have no effect on TCP-based application response time measurement.
There are several ways to customize Wireshark to ensure you get accurate information. I will be showing some cool Wireshark profiles and sharing many of my favorite analysis tips at the CORE-IT Pros Conference! Register today at https://coreitpros.com.
Sign up for VIP Notification and Access to our Packet Pub Quizzes at https:/coreitpros.com.