Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] internal time-function

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 30 Oct 2006 10:24:31 -0800
Steffen R�ttig wrote:

i have a little question about the internal work.
wireshark can choose about 4 time-views. i think as resource for the views is the timestruct in the ethernet-header. or not?

Given that there is no time stamp in the Ethernet header (that header has only a destination MAC address, a source MAC address, and a type/length field), the answer is "not".

are the function for the views wireshark-functions or is it a feature of winpcap?

i.e. does wireshark gets the packet from winpcap,

Wireshark doesn't get the packet from WinPcap on the machine on which I'm typing this, because it doesn't run Windows; it gets it from libpcap.

Libpcap and WinPcap, in turn, get the packet from some mechanism that's part of the OS (either they do this purely from userland in UN*X, or in the kernel-mode WinPcap driver in Windows). ("WinPcap" here refers to the wpcap.dll library, the packet.dll library, and the kernel-mode WinPcap driver.)

They also get the time stamp, in most cases, from the same mechanism in UN*X, or from some kernel mechanism in Windows. (In HP-UX, the kernel mechanism doesn't supply a time stamp, so libpcap just directly calls gettimeofday() to get the current time - which means that the time might be more inaccurate.)

Libpcap and WinPcap supply to the caller

1) a structure that contains the packet time stamp, the length of the packet as received by the host, and the amount of the packet data that was supplied to libpcap/WinPcap (because you can request that it supply no more than N bytes of packet data, if you're only interested in, for example, headers up to the TCP layer);

	2) the raw packet data.

Wireshark, like tcpdump/WinDump and other applications using libpcap/WinPcap, get the packet time stamps from that structure.

That time stamp is an absolute time. For the "time of day" and "date and time of day" displays, Wireshark just uses that time (and localtime() to convert the seconds-resolution part of that time from "seconds since January 1, 1970, 00:00:00 GMT" to a local time and date, specified as year/month/day/hour/minute/second). For the relative time, it subtracts the time stamp of the first packet to get a relative time in seconds and microseconds (or nanoseconds, if it's reading a capture file with nanosecond resolution); for the delta time, it subtracts the time stamp of the previous packet (and just uses 0 for the first packet).