By monitoring "ping" packets with tcpdump software, the following records are saved as an example.
![alt text][1]
The first two request packets with sequence number(seq) 19611 and 19612 have no reply.
From these records, I want to calculate round trip time (delay). My naive search and its result (=what I expected and is correct) are as follows:
base_search | where direction=="request" | join seq type=outer [ base_search| where direction=="reply" | rename _time as reply_time |table seq reply_time] |table _time seq reply_time | rename _time as request_time |eval request_time=strptime(request_time,"%Y-%m-%d %H:%M:%S.%6N") | eval reply_time=strptime(reply_time, "%Y-%m-%d %H:%M:%S.%6N") | eval delay=reply_time - request_time |eval request_time=strftime(request_time,"%Y-%m-%d %H:%M:%S.%6N") | eval reply_time=strftime(reply_time, "%Y-%m-%d %H:%M:%S.%6N") | table request_time seq reply_time delay
![alt text][2]
**Questions are:**
(1) How can I get the same result by not using join search command?
(2) *Seq* is implemented as 16 bits field in the packet, that is, mod 65536. Therefore, if monitored for a long time, then the same *seq* value could appear in the saved records. When this happens, my naive program fails to get delay correctly.
How can I solve this problem (also by not using join command)?
Thanks.
[1]: /storage/temp/187358-スクリーンショット-2017-03-19-214415.png
[2]: /storage/temp/187359-スクリーンショット-2017-03-19-215552.png
↧
How to calculate the round trip time by the modulo-type sequence number without using join command?
↧
