Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Weird capture-timestamps

From: "Anders Broman" <a.broman@xxxxxxxxx>
Date: Sun, 1 Apr 2007 21:06:37 +0200
Hi,
Some info. about timestamps can be found here
http://wiki.wireshark.org/Timestamps

Best regards
Anders

-----Ursprungligt meddelande-----
Från: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] För Jaakko Hakalahti
Skickat: den 1 april 2007 18:10
Till: wireshark-users@xxxxxxxxxxxxx
Ämne: [Wireshark-users] Weird capture-timestamps


Hello,

I have been trying to figure out how to measure RTP-traffic delays on a 
LAN and I have encountered the following error in the test results: 
Traffic seems to be captured before it has been sent. Let me explain, 
VoIP-traffic is being sent from computer A using X-lite softphone. From 
that computer I am capturing the traffic with Wireshark 0.99.5. I have 
second computer B, which also runs X-lite and captures the traffic with 
Wireshark. Between these two computers I have a PC-bridge from which I 
am intending to run Network Emulation to test some VoIP-related things, 
i.e. delay, jitter, etc. Then I have an Asterisk PBX to make it 
possible for me to make SIP/RTP-calls both in peer-to-peer type and via 
the PBX. I have NTP-timeserver on the same PC as the Asterisk and I am 
updating the OS clocks from it automatically once every second. This I 
hope will be enough for the clocks to be synchronized with enough 
accuracy(+/- few milliseconds).

The Frame header on each packet holds the Arrival Time -timestamp, 
which as far as I know, tells us the time when this particular packet 
was captured. Now since I assume that the OS clocks are synchronized 
between the A and B PC's, the packets I capture from both peers should 
be comparable. If PC A sends a packet which it captures lets say at 
17:03:32.287856000, the PC B captures it few milliseconds later, 
17:03:32.290266000, difference between the two times should then be an 
approximate of the delay between these two peers.

This calculation works always to one way and gives me results between 
1-10 milliseconds. (It's a LAN without disturbing traffic). But always 
when I measure the reversed traffic, the timestamps are wrong: Packet 
was captured on the receiving PC before it was captured on the sending 
PC. This happens every time and does not seem to have anything to do 
with the codec used, if the call was p2p or via PBX.

I don't understand why this happens, I was hoping that some of you 
would know the answer?

What is the thing that marks the Arrival time -timestamp on the packet, 
is it the Wireshark, OS, NIC card driver or what?

For sure this problem has something to do with the hardware of the 
PC's, because when I used two identical PC's(both in hardware and 
software) the delay seems to be pretty much the same for both 
directions and I the "receiving before sending" does not occur anymore.

Greetings,
Jaakko
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users