I am new to scripting in Linux. I have captured traffic generated between a client and FW (server). I would like to measure the time each packet remains in the server (processing time). I have the key idea, but I am not sure how to implement this and write a script does what I need. Each arriving packet has a timestamp as well as the packets leaving the system. The processing time should be done by subtracting both values. However, I find it difficult to implement this using packet Id in tcpdump. Do you have any suggestion for me so I can collect arrival packet timestamp and as well as leaving packet timestamp?
With questions like this, it always helps if you tell us what operating system you're using, tell us what shell you're using, show us representative sample input that you want to process, and show us the output that you hope to produce from that sample input.
If you show us what you have tried to solve this problem on your own, it gives us a better feel for help you need so you can learn from your experiences and help you figure out what still needs to be done.
I suppose the real problem is to find out which arriving package corresponds to which leaving package, no? If, say, five requests are processed by a server, this will result in 5 incoming packets and (later) 5 outgoing packets. But it might be that arriving packet 1 is answered by outgoing packet 4 and arriving packet 2 by outgoing packet 1, etc.. How will you know which of these packets correspond?
I think you should first decide, what programming language you will use. tcpdump essentially produces data in tabular format, so awk is an obvious choice. However, tabular data can be analyzed equally well with other languages - Perl, Ruby, Python, just to name a few - and I personally tend to use one of those, because they provide more flexibility, which might be handy in case the problem increases in complexity. For example, I tend to use Ruby for those tasks, but this is just personal taste.
Since you said that you are new to scripting, you need to learn a new language anyway, so you can start using one of them. I would recommend in your case to do it either in Perl or in Ruby:
Perl has the advantage, that it is already installed on virtually every system.
Ruby has the advantage, that it is very easy to learn, so it might be better suitable for beginners