In some situations the question arises how much a frame was delayed by a device it has to pass through, e.g. firewalls, loadbalancers and sometimes even routers and switches. Usually, novice network analysts think that for that you need to synchronize the clocks of the capture PCs down to microseconds or even better, but that is not necessary for this kind of reading. It is possible to capture the packets with completely different time settings on the capture PC left and right of the device you need to determine the delay for.
The trick to determine the device delay is pretty simple: you just need to find a packet that is answered by another packet coming back. As long as you can match request and response on both sides of the device you can do the math. Of course you need to capture both request and response packets at the exact same moment, so you can’t capture one side first and the other side second. Which means that you usually need two capture PCs, one for each side of the device in question. Take a look at the following graph:
As you can see, you can determine device delay by subtracting the smaller delta time from the larger delta. This is the delay for the two packets to pass through the device, represented by the two small boxes in the graph above. For one way (a.k.a. the average), just divide the result by 2.
For a very simple example I sent a ping (yes, “one ping only!” :) ), which gets NATted, to make it a little more fun. This is the internal capture of the NAT device:
And here is the same ping after being NATted, on the external side of the NAT device:
You can’t see the absolute time (as I’ve chosen to cut it from the screen shot, because it just doesn’t matter), but you can see the delta times between the echo request going out to the internet, and the echo reply coming back.
Internal Ping Delta Time: 0.031064 seconds External Ping Delta Time: 0.030690 seconds Difference between the two: 0.000374 seconds
So the delay caused by the device between the two echo request and the two echo reply packets is 374 microseconds. Divided by 2 that’s 187 microseconds – this is the average delay caused by the NAT device. Of course it may be useful to take multiple samples to get a more exact average, but that is just routine work – knock yourself out if you want. I’m done here :-)