Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Absolute arrvial time of packet in wireshark

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 27 Jun 2014 00:53:35 -0700
On Jun 27, 2014, at 12:23 AM, Vishnu Bhatt <vishnu.bhatt@xxxxxxxxxxx> wrote:

> Thanks for all the replies.
> One more thing I would like to ask is, one thing I've noticed that the last three digits of time shown in Wireshark till nanosecs precision are always zero (for every packet).
> 
> For eg. Arrival Time: Oct 23, 2013 23:21:07.388979000 IST.
> 
> In the above case also the last three digits in .388979000 are zero, which means microsecs are multiplied with 1000 to get the nanosecs.
> 
> Can somebody please clarify more on this as to how the nanosecs obtained?

For standard pcap captures, the nanoseconds are obtained by taking the microseconds from the capture file and multiplying them by 1000; for nanosecond-resolution pcap captures, they're directly obtained from the capture file.

For pcap-ng captures, they're obtained by scaling the time stamps appropriately.

Ideally, we would keep track of the precision of each time stamp, and not display insignificant trailing zeroes, but we're not doing that in all cases; currently, the time stamp precision is per-file, not per-interface or per-packet, and for pcap-ng files, which are now the default file format for Wireshark, there is no per-file precision, there's just per-interface precision, so we just report the per-file precision as nanoseconds, and calculate the seconds and nanoseconds from the raw time stamp values (which aren't in seconds and nanoseconds, they're in a per-interface fraction-of-a-second form).