Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] regarding pcap timestamps

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 21 Mar 2012 15:15:06 -0700
On Mar 21, 2012, at 12:41 PM, abhinav narain wrote:

>    pcap gives the timestamp of a packet using the ioctle call with flag SIOCGSTAMP.

pcap gets the time stamp of a packet by various mechanisms on various operating systems; it uses SIOCGSTAMP on Linux *if* it's not using the memory-mapped capture mechanism.

More to the point, pcap gets the time stamp of a packet by mechanisms that return the time in UN*X format (well, on Windows it's converted to UN*X format by the driver that WinPcap uses), i.e. seconds and fractions of a second since January 1, 1970, 00:00:00 UTC, and the packets are, in most cases, time-stamped by the operating system's networking stack at some point in the packet's path up to userland, which could be a point after the packet arrives at the networking adapter.

> Is it the same timestamp reported by radiotap header

If you're referring to the TSFT value from the radiotap header:

	http://www.radiotap.org/defined-fields/TSFT

no, it is not.  That time stamp is the "value in microseconds of the MAC's 64-bit 802.11 Time Synchronization Function timer when the first bit of the MPDU arrived at the MAC."  That's described in IEEE Std 801.11-2007 in section 11.1 "Synchronization"; that says that the TSF timer is in units of microseconds, but says nothing whatsoever about the time base of the timer.

This means that:

	1) The packet time stamp from pcap is a value counting seconds and microseconds since January 1, 1970, 00:00:00 UTC; the TSF timer could be seconds and microseconds since some arbitrary time in the past.

	2) The packet time stamp is assigned to the packet at some arbitrary point between the point when it arrives at the network adapter and the point at which it's queued up for userland to read; the TSF timer value is assigned at the point "when the first bit of the MPDU [arrives] at the MAC".

I just did a traffic capture on our 802.11 network, and the first packet has a pcap time stamp of 1332367676.553527000 seconds since January 1, 1970, 00:00:00 UTC and a TSF timer value of 1958026856435 microseconds, or 1958026.856435 seconds, since, well, the time base of my machine's Wi-Fi adapter's TSF timer.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube