The first impression of the six RTT plots in Figure 4.2 might be that, they look almost the same. This is true in the sense that the differences between these plots are hardly perceptible, especially for the lower five plots (tcpdump measurements). Close study reveals areas of minor difference in the top plot (ping's own measurement), which are indicated by the four arrows. The first arrow indicates a nearly horizontal line where the other plots decline a little; the second arrow indicates a larger dip than the other plots; the third arrow indicates a flatter line and the fourth arrow indicates a more pronounced bulge.
There are two ways to view these differences more clearly. One is to zoom each plots to show only those parts that seem to have major differences. However, this approach does not help much in showing the differences in the other parts. A better way is to directly plot the RTT differences between pZ and the other monitors. As the RTT differences between pZ and the other tcpdump monitors are similar, for brevity and legibility reasons, only the RTT differences between pZ and m2 are plotted, as shown in Figure 4.3. The x-axis in the plot reflects the ICMP sequence numbers. The y-axis reflects the RTT measurement differences between pZ and m2 (pZ's measure minus m2's measure), measured in milliseconds. The lost packets are not shown.
In the plot there are repeated step-by-step increases and sudden drops in the interval between ICMP sequence number 490 and 890. The differences can climb up to as high as 30 milliseconds. A measurement difference of 30 milliseconds could be considered large, depending on how precisely the RTT measurements would be used. For instance, 30 milliseconds would not mean much to a general Web user whose machine is connected via a model to a slow dial-up link, such as a telephone line. However, for a researcher who intends to measure the wire round-trip times, a 30-millisecond difference could possibly be misinterpreted as a queueing delay caused by the injection of other traffic into the network. Also noticeable is that all the measurement differences shown in the plot are positive. This is consistent with the fact that ping spends more monitor processing time than tcpdump when measuring round-trip times, because ping timestamps packets at the application-level in the operating system's user-space while tcpdump receives timestamps that are measured in the kernel space and are closer to the packets' wire times.
More comparisons between ping and tcpdump regarding running ping in different user modes, namely the multi-user mode and the single-user mode, will be presented in Section 4.5. Before that, we compare in the next section the measurements of the five tcpdump monitors in the same experiment, and compare in Section 4.4 the measurements between two dedicated monitoring machines.
![\includegraphics [angle=-90, width=0.9\textwidth]{eps/022-0151/022-0151.RTTDiff-pZ-m2.eps}](img31.png)