On Thu, Jun 13, 2002 at 05:32:41PM +0800, Huang Qian wrote:
> The webpages about pcap says that the "pcap_pkthdr" structure contains
> the information about when the packet was sniffed, that is:
> struct pcap_pkthdr{
> struct timeval ts;
> bpf_u_int32 caplen;
> bpf_u_int32 len;
> }
> I wonder whether the "ts" is just the time when the pcap captured the
> packet?
What "ts" means depends on the operating system on which you're
capturing packets.
On most operating systems, it's the time at which the driver for the
network interface gave the packet to the OS's packet capture mechanism;
on some OSes where the operating system doesn't itself put a time stamp
on the packet, it's the time at which the libpcap library read the
packet from the OS kernel.
I.e., the time isn't necessarily the time when the packet arrived on the
machine running tcpdump/Ethereal/whatever sniffer program you're using -
it may be a later time (although it probably won't be much later).
> Whether Ethereal use this data for the time when a packet was
> captured?
Yes, Ethereal does.
> Ethereal display the captured packets like:
> Frame 1
> Arrival time: Jun 13, 2002 12:00:00.1234546789
> �� ...
>
> How Ethereal gets this arrival time? from the pcap_pkthdr mentioned
> upper?
Yes.
> the datum "123456789" come directly from the "tv_usec" part in
> the timeval strcuture?
Yes.
Note that not all OSes necessarily provide high-precision time stamps;
they might, for example, provide time stamps with 1 millisecond or 10
millisecond resolution.
