On Fri, Jun 14, 2002 at 10:26:49AM +0800, Huang Qian wrote:
> However, I still don't understand the capture time Ethereal display.
> for example, when I capture the icmp packet produced by "ping host B" on
> host A, it shows the same capture time of echo request and echo reply,
> as the following:
>
> 1 0.000000 A B ICMP Echo(ping) request
> Arrival Time: Jun 14,2002 12:00:00.123456789
> ...
> 2 0.000000 B A ICMP Echo(ping) reply
> Arrival Time: Jun 14,2002 12:00:00.123456789
> ...
>
> I wonder why the set of icmp packets arrive at the same time?
You're assuming they *did* arrive at the same time; that may not be the
case.
Perhaps the OS on which you're running the program on which you're
capturing packets doesn't time-stamp the packets with a sufficiently
high-resolution time stamp, and doesn't try to give packets unique time
stamps, either.
If, for example, the reply was received .1 milliseconds after the
request was sent, but the timer the OS uses to time-stamp the packets
has only a 1-millisecond resolution, the two packets might be given the
same time stamp even though the request was sent at a different time
from when the reply arrived.
There's nothing Ethereal can do about that; it just displays the times
libpcap gave it (or gave whatever program wrote the capture file).
There's probably not much libpcap can do about that, either; it just
gets the times that the OS provides.
I mentioned this in my previous reply when I said:
> >Note that not all OSes necessarily provide high-precision time stamps;
> >they might, for example, provide time stamps with 1 millisecond or 10
> >millisecond resolution.
