Hi,Dear Guy Harris,
Thanks for your great help.
However, I still don't understand the capture time Ethereal display. for example, when I capture the icmp packet produced by "ping host B" on host A, it shows the same capture time of echo request and echo reply, as the following:
1 0.000000 A B ICMP Echo(ping) request
Arrival Time: Jun 14,2002 12:00:00.123456789
...
2 0.000000 B A ICMP Echo(ping) reply
Arrival Time: Jun 14,2002 12:00:00.123456789
...
I wonder why the set of icmp packets arrive at the same time? since A ping B, and B returns a echo reply, it shouldn't produce at the same time!
More ever, I captured the "A ping B" echo request packet on host B, and I want to compute the transmit time for the packet.(A and B have been synchronized by NTP time server)
But
transmit = "the arrvial time on host B" subtract "the time of the echo request produced on host A"
the transmit seems much different from the "round-trip time"/2 displayed by "ping", I mean, it seems they are not in the same quantity scale. So I feel confused. Would you like to give me some suggestion?
Thanks again!
Best Regards!
Qian Huang
Intern Student
Bell Labs Research China
Email:huangq@xxxxxxxxxxxxxxxxxxxxxxxxxx
http://blrc.edu.cn
========Original Messages==========
>On Thu, Jun 13, 2002 at 05:32:41PM +0800, Huang Qian wrote:
>> The webpages about pcap says that the "pcap_pkthdr" structure contains
>> the information about when the packet was sniffed, that is:
>> struct pcap_pkthdr{
>> struct timeval ts;
>> bpf_u_int32 caplen;
>> bpf_u_int32 len;
>> }
>> I wonder whether the "ts" is just the time when the pcap captured the
>> packet?
>
>What "ts" means depends on the operating system on which you're
>capturing packets.
>
>On most operating systems, it's the time at which the driver for the
>network interface gave the packet to the OS's packet capture mechanism;
>on some OSes where the operating system doesn't itself put a time stamp
>on the packet, it's the time at which the libpcap library read the
>packet from the OS kernel.
>
>I.e., the time isn't necessarily the time when the packet arrived on the
>machine running tcpdump/Ethereal/whatever sniffer program you're using -
>it may be a later time (although it probably won't be much later).
>
>> Whether Ethereal use this data for the time when a packet was
>> captured?
>
>Yes, Ethereal does.
>
>> Ethereal display the captured packets like:
>> Frame 1
>> Arrival time: Jun 13, 2002 12:00:00.1234546789
>> ...
>>
>
>> How Ethereal gets this arrival time? from the pcap_pkthdr mentioned
>> upper?
>
>Yes.
>
>> the datum "123456789" come directly from the "tv_usec" part in
>> the timeval strcuture?
>
>Yes.
>
>Note that not all OSes necessarily provide high-precision time stamps;
>they might, for example, provide time stamps with 1 millisecond or 10
>millisecond resolution.
>
>_______________________________________________
>Ethereal-users mailing list
>Ethereal-users@xxxxxxxxxxxx
>http://www.ethereal.com/mailman/listinfo/ethereal-users
