When measuring network security appliance performance, particularly for HTTPS inspection and filtering, traditional network testing tools fall short. While ping is useful for basic network connectivity testing, it only measures ICMP echo request/reply times, which doesn't reflect the complexity of HTTPS traffic inspection. Similarly, TCP ping tools can measure TCP handshake times but don't account for the additional overhead of TLS negotiation and application-layer inspection.
For firewalls performing FQDN (Fully Qualified Domain Name) filtering on HTTPS traffic, the crucial metric is the time taken from initial request to receiving the first byte of application data. This Time To First Byte (TTFB) measurement includes:
- TCP connection establishment
- TLS handshake
- SNI (Server Name Indication) inspection by the firewall
- FQDN filtering policy evaluation
- Initial HTTP request transmission
- First response byte receipt
This toolkit provides a methodology for measuring and comparing the performance impact of different firewall solutions performing HTTPS inspection and FQDN filtering. The scripts capture and analyze network traffic to measure TTFB across multiple connections, providing statistical analysis of latency patterns.
- Initiates packet capture using tcpdump
- Performs configurable number of HTTPS requests to specified endpoints
- Captures full packet data for detailed timing analysis
- Extracts relevant timing information using tshark
- Processes packet capture data to calculate TTFB metrics
- Analyzes results separately by destination IP address
- Provides statistical analysis including:
- Mean and median latency
- Standard deviation
- Maximum values
- Per-endpoint breakdowns
The script analyzes performance metrics grouped by destination IP address because:
- Modern web services often use multiple endpoints (e.g., CDN edge nodes)
- DNS round-robin may distribute requests across different servers
- Cloud services might route to different regional endpoints
- Performance characteristics may vary by endpoint
This approach ensures that:
- Performance variations between different backend servers are visible
- CDN edge node performance can be compared
- Any routing or regional differences are captured
- Anomalies in specific endpoints can be identified
- Capture traffic:
./capture_latency.sh <https_url> <request_count>- Analyze results:
python3 analyse_ttfb_by_ip.py <timing_data.txt>The scripts use the following approach to ensure accurate measurements:
-
Full Packet Capture: Rather than just timing HTTP requests, we capture all packets to analyze the exact timing of TCP and TLS handshakes.
-
Stream Analysis: TCP streams are tracked to accurately associate request and response packets.
-
First Data Packet: We specifically identify the first data-carrying packet after the handshake to measure true application-layer latency.
-
Statistical Aggregation: Multiple requests provide robust statistical data to account for network variations.
-
IP-based Grouping: Results are grouped by destination IP to account for:
- CDN edge nodes
- DNS round-robin
- Regional routing differences
- Backend server variations
- Linux environment with:
- tcpdump
- tshark (Wireshark command-line tools)
- Python 3 with pandas
- Appropriate permissions for packet capture (sudo/root)
- Network environment configured to route test traffic through the firewall under test
The timing measurement focuses on identifying the first application data packet after the TLS handshake is complete. This approach was chosen because:
- It reflects the actual impact on application performance
- It captures the full overhead of security processing
- It provides consistent measurements across different firewall implementations
- It matches real-world application behavior patterns
By analyzing results by IP address, we can:
- Identify performance variations between different backend servers
- Account for CDN edge node distribution
- Detect any regional or routing-based performance differences
- Provide more accurate comparisons when testing against distributed services