Wireshark-users: Re: [Wireshark-users] Capturing and merging files from different machines
From: Guy Harris <[email protected]>
Date: Wed, 18 Jun 2008 15:16:30 -0700
On Jun 18, 2008, at 2:13 PM, Chris Swinney wrote:

I may have miss read the merged file. I'm not sure if the merged file is totally correct as I seem to be getting responses before requests, but they DO appear to be in chronological order. I'm not sure at which point the time stamp is applied to the packet and if the sniffing PC's have any effect on this - I think not. I assume that the time stamp is applied to the header by whatever device sent the packet, not by a device listening.
No.  The time stamps Wireshark gets from libpcap/WinPcap when it's  
capturing are the time stamps libpcap/the user-mode WinPcap code get  
from the OS's native capture mechanism/the WinPcap driver; from the  
point of view of libpcap/WinPcap, packets are time-stamped when they  
are *received*, not when they are *sent*.
Note also that the time stamp value comes from the clock's value at  
the time the time-stamping code runs; that could be after the packet  
is received by the network adapter or provided to the network adapter  
by the host.  See the page Sake Blok mentioned in his message:
	http://wiki.wireshark.org/Timestamps