Wireshark and Timestamps

[d.j.s.legge () reading ac uk]

Guy,

Thanks for your response. I've captured traffic from both production and 
lab networks and I'm looking at using kNN to cluster traffic types. 
Therefore I need to create attributes on which to cluster. One of these 
will be packet (frame) length, the other will be time. The assumption being 
that small packets (in length) have a low packet transmit time. However I 
need to be able to present just transmission time, the time it takes for 
the packet or frame to transit, without the time_delta which is the time 
after that packet/frame and before the start of the next. Can this be done 
even if it is a manual formula on the data when its imported to Excel?

Thanks

Doug

Message: 8
Date: Mon, 26 Oct 2009 11:03:41 -0700
From: Guy Harris <guy () alum mit edu>
Subject: Re: [Wireshark-users] Wireshark and Timestamps
To: Community support list for Wireshark
        <wireshark-users () wireshark org>
Message-ID: <D71A477E-6274-4F9C-992C-9CFBA526403B () alum mit edu>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes


On Oct 25, 2009, at 8:58 AM, d.j.s.legge () reading ac uk wrote:

> Can I please confirm that the timestamps used by Wireshark:
>
> frame_time - This is the actual date/time (as presented by the local 
> computer clock) to Wireshark for stamping e.g. num 1. Apr 23 2009 
> 17:34:49.861864000 num 2. Apr 23 2009 17:34:49.861942000 num 3. Apr
> 23 2009
> 17:34:49.861979000

This is the actual date/time (as presented by the clock on the machine 
doing the capturing, which might or might not be the machine on which 
you're running Wireshark - somebody else might have captured the traffic 
into a file on another machine and sent it to you).

> frame_time_delta - This is the time gap between the end of frame x and 
> the start of frame y. In example below there is 0.000037 seconds 
> between the end of frame # 2 and the start of frame #3 num 1. 0.000000 
> num 2.
> 0.000078
> num 3. 0.000037

For the Nth frame in the capture (*NOT* the Nth frame in the display, as 
the display might be filtered), for N > 1, this is the difference between 
the frame_time of the Nth frame and the frame_time of the N-1st frame. (For 
the first frame, it's 0.)

> frame_time_relative - This is essentially frame time sigma. That is 
> the cumulative time of all frame (packets) from the first capture at 
> 0.000000 num 1. 0.000000 num 2. 0.000078 num 3. 0.000115

If there's a frame before this frame that's marked as a "time stamp 
reference", it is the difference between the frame_time of this frame and 
the frame_time of the "time stamp reference" frame. Otherwise, it is the 
difference between the frame_time of this frame and the frame_time of the 
first frame in the capture (so, for the first frame in the capture, it's 
obviously zero).

> The question is how does one confirm the exact frame transport time 
> less the time_delta? I want to be able to measure the exact period of 
> time that it takes a frame to transition the NIC

What do you mean by "transition the NIC"?

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe