How can I identify the time a TCP packet takes from two nodes?

Question

I need to identify the transfer time of a packet. More specifically I need:

• The time when the packet leaves node A
• The time when the packet arrives at node B

Is there any way of identify the packet without error? I was thinking of using tcpdump/tshark at node A and at node B, but is possible to identify the packet?? How?

Answer 1

Either or (TShark/tcpdump) I will explain the analysis with wireshark.

Let Node A = 10.1.2.1 Let Node B = 10.20.30.1

From Capture on Node A:

In Wireshark, in the filter, isolate the addresses to minimize noise:

ip.addr == 10.1.2.1 (click apply)

Click apply. Hit CTRL+Alt+1 to display the time easier to read: 2013-07-08 14:30:00 . You'll see the packets displaying what time it left Node A. Jot it down, and then do the reverse. Analyze the capture from Node B:

ip.addr == 10.20.30.1 (click apply)

CTRL+ALT+1 Compare. Be advised, unless you have both nodes synced with an NTP server, your results will be skewed

Answer 2

There's not a unique identification for a TCP packet. There are parameters that combined can help you to recognize a packet, but there's not a 100% guarantee that won't repeat (specially when analizing huge quantity of packets). Those parameters are:

• src ip
• dst ip
• src port
• dst port
• ip id

When a TCP connection is stablised, the TCP identification numbers wraps after sending only 65536 packets, so I'll choose to analyze packets before wrapping.

I got that info from: https://www.wireshark.org/lists/wireshark-users/201004/msg00216.html

Answer 3

If you are planning on capturing on both nodes, you will also need to make sure that the system clocks are tightly synchronised.