Wireshark-users: [Wireshark-users] Weird capture-timestamps
Date Prev · Date Next · Thread Prev · Thread Next
From: Jaakko Hakalahti <[email protected]>
Date: Sun, 01 Apr 2007 19:10:09 +0300

I have been trying to figure out how to measure RTP-traffic delays on a LAN and I have encountered the following error in the test results: Traffic seems to be captured before it has been sent. Let me explain, VoIP-traffic is being sent from computer A using X-lite softphone. From that computer I am capturing the traffic with Wireshark 0.99.5. I have second computer B, which also runs X-lite and captures the traffic with Wireshark. Between these two computers I have a PC-bridge from which I am intending to run Network Emulation to test some VoIP-related things, i.e. delay, jitter, etc. Then I have an Asterisk PBX to make it possible for me to make SIP/RTP-calls both in peer-to-peer type and via the PBX. I have NTP-timeserver on the same PC as the Asterisk and I am updating the OS clocks from it automatically once every second. This I hope will be enough for the clocks to be synchronized with enough accuracy(+/- few milliseconds).
The Frame header on each packet holds the Arrival Time -timestamp, 
which as far as I know, tells us the time when this particular packet 
was captured. Now since I assume that the OS clocks are synchronized 
between the A and B PC's, the packets I capture from both peers should 
be comparable. If PC A sends a packet which it captures lets say at 
17:03:32.287856000, the PC B captures it few milliseconds later, 
17:03:32.290266000, difference between the two times should then be an 
approximate of the delay between these two peers.
This calculation works always to one way and gives me results between 
1-10 milliseconds. (It's a LAN without disturbing traffic). But always 
when I measure the reversed traffic, the timestamps are wrong: Packet 
was captured on the receiving PC before it was captured on the sending 
PC. This happens every time and does not seem to have anything to do 
with the codec used, if the call was p2p or via PBX.
I don't understand why this happens, I was hoping that some of you 
would know the answer?
What is the thing that marks the Arrival time -timestamp on the packet, 
is it the Wireshark, OS, NIC card driver or what?
For sure this problem has something to do with the hardware of the 
PC's, because when I used two identical PC's(both in hardware and 
software) the delay seems to be pretty much the same for both 
directions and I the "receiving before sending" does not occur anymore.