In this post, we’ll use Wireshark to identify HTTP server response times. We’ll start by using Wireshark to open a network capture of a simple web request. Using the HTTP analysis tools built into Wireshark, we’ll calculate the time it took for the response to come back from the server. Once we’ve done that, we’ll walk through creating a filter to display HTTP response times that take longer than expected.

Finding HTTP Response Time

The HTTP response time is calculated and displayed in the HTML dissector. In this example I made a request to http://i.imgur.com/OAEsnJh.jpg. Let’s take a look at what this looks like in Wireshark:

In this first screenshot, we establish the TCP connection with a three way handshake, then the browser requests the image with an HTTP GET request.

The data is transferred from the web server to the client, then sends an HTTP response of 200 OK. This indicates the requested action was successfully completed on the web server (see the pink highlight below).

Within the HTTP response packet, Wireshark is able to add additional information to assist in the analysis of the HTTP response stream. Part of that additional analysis is a field called ‘time since request’. This analysis field shows us the response time per HTTP request. To view this field, highlight the packet that contains the HTTP response. Within the Packet Details window, expand the Hypertext Transfer Protocol section. In that section, you will find the field with the elapsed time since the original request. In the screenshot below, we can see that the request took 195 ms.

Filter on Long HTTP Response Times

Now that we know where to view the response time, we’re able to create a filter based on that response time and only display HTTP responses that take more than, or less than a set time.

In this example, we’re using the filter syntax below to display only the responses that take greater than 100 ms.

http.time >= 0.100000

This returns the same response as above with a response time of 195 ms.