Wireshark-bugs: [Wireshark-bugs] [Bug 5770] Add conversation tracking to ICMP.
Date: Fri, 25 Mar 2011 08:52:32 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5770

--- Comment #30 from Chris Maynard <christopher.maynard@xxxxxxxxx> 2011-03-25 08:52:28 PDT ---
OK, so I decided to take a look at trying to make use of the timestamp in the
ICMP payload after all.  I got to thinking, "What if we have a HostA pinging
HostB, with a host in the middle running Wireshark capturing the pings?".  In
that case, the response time I'm computing is only the round trip of the 2nd
leg of the journey and not the real end-to-end round trip time.

But, if HostA is placing a timestamp in the ICMP payload that reflects the time
at which it sent the ICMP echo request, we should be able to make a reasonably
good estimate of the total round-trip time, or service response time (SRT) to
keep the notation the same as other protocols.  So given:

            1st leg                2nd leg
 +-------+          +-----------+          +-------+
 | HostA |          | Wireshark |          | HostB |
 +-------+          +-----------+          +-------+
     |                     |                   |
     +---------------------+-------------------+

     t0 =================> t1 =================>
                           t2 <================

t0: The ICMP timestamp payload
    i.e., the time that HostA sends the ICMP echo request
t1: The time that Wireshark receives the ICMP echo request from HostA
t2: The time that Wireshark receives the ICMP echo reply from HostB

Knowing all 3 of these times, we can easily calculate the time it takes for the
ICMP echo request to reach Wireshark.  That's simply t1-t0.  We can also easily
calculate the SRT of the ICMP echo request/reply from Wireshark's perspective
as t2-t1.  The only thing we don't know is the time it takes for the ICMP echo
reply to reach HostA from Wireshark, but we can make a pretty good guess that
it should take about the same time as the ICMP echo request took to reach
Wireshark from HostA.

Thus, the estimate becomes: 2*(t1-t0) + (t2-t1)

I wrote some code to attempt to do this and will attach the patch here.  Thus
far I have been unable to get any good results though.  Maybe someone wants to
have a look at this and see if there's a way to improve it?

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.