Wireshark

  • Riverbed Technology
  • WinPcap
the world's foremost network protocol analyzer
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-users: [Wireshark-users] Weird capture-timestamps

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: Jaakko Hakalahti <e0201091@xxxxxx>
Date: Sun, 01 Apr 2007 19:10:09 +0300


Hello,
I have been trying to figure out how to measure RTP-traffic delays on a LAN and I have encountered the following error in the test results: Traffic seems to be captured before it has been sent. Let me explain, VoIP-traffic is being sent from computer A using X-lite softphone. From that computer I am capturing the traffic with Wireshark 0.99.5. I have second computer B, which also runs X-lite and captures the traffic with Wireshark. Between these two computers I have a PC-bridge from which I am intending to run Network Emulation to test some VoIP-related things, i.e. delay, jitter, etc. Then I have an Asterisk PBX to make it possible for me to make SIP/RTP-calls both in peer-to-peer type and via the PBX. I have NTP-timeserver on the same PC as the Asterisk and I am updating the OS clocks from it automatically once every second. This I hope will be enough for the clocks to be synchronized with enough accuracy(+/- few milliseconds).
The Frame header on each packet holds the Arrival Time -timestamp, which as far as I know, tells us the time when this particular packet was captured. Now since I assume that the OS clocks are synchronized between the A and B PC's, the packets I capture from both peers should be comparable. If PC A sends a packet which it captures lets say at 17:03:32.287856000, the PC B captures it few milliseconds later, 17:03:32.290266000, difference between the two times should then be an approximate of the delay between these two peers.
This calculation works always to one way and gives me results between 1-10 milliseconds. (It's a LAN without disturbing traffic). But always when I measure the reversed traffic, the timestamps are wrong: Packet was captured on the receiving PC before it was captured on the sending PC. This happens every time and does not seem to have anything to do with the codec used, if the call was p2p or via PBX.
I don't understand why this happens, I was hoping that some of you would know the answer?
What is the thing that marks the Arrival time -timestamp on the packet, is it the Wireshark, OS, NIC card driver or what?
For sure this problem has something to do with the hardware of the PC's, because when I used two identical PC's(both in hardware and software) the delay seems to be pretty much the same for both directions and I the "receiving before sending" does not occur anymore. 

Greetings,
Jaakko
  • Follow-Ups:
    • Re: [Wireshark-users] Weird capture-timestamps
      • From: Anders Broman
  • Next by Date: Re: [Wireshark-users] Weird capture-timestamps
  • Next by thread: Re: [Wireshark-users] Weird capture-timestamps
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation