Wireshark mailing list archives
Re: Wireshark and Timestamps
From: Guy Harris <guy () alum mit edu>
Date: Mon, 26 Oct 2009 12:17:15 -0700
On Oct 26, 2009, at 11:50 AM, d.j.s.legge () reading ac uk wrote:
Thanks for your response. I've captured traffic from both production and lab networks and I'm looking at using kNN to cluster traffic types. Therefore I need to create attributes on which to cluster. One of these will be packet (frame) length, the other will be time. The assumption being that small packets (in length) have a low packet transmit time. However I need to be able to present just transmission time, the time it takes for the packet or frame to transit,
Again, what do you mean by "transition the NIC" or "transit"? If you're trying to, for example, find the time between the point at which the NIC is told to transmit the packet and the point at which the last bit of the packet is put onto the network, you can't get that from any of the packet capture mechanisms that are available to libpcap/WinPcap, and thus you can't get that from Wireshark. The time stamps that the capture mechanisms provide to libpcap/WinPcap, and thus to Wireshark (or any other app using libpcap/WinPcap), are the time at which the capture mechanism is handed the packet. For incoming packets, this could be a significant amount of time after the packet is received by the NIC; for outgoing packets, it's the time at which the driver or networking stack happens to hand the packet to the capture mechanism, which is probably before the packet is even put onto the network. ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Wireshark and Timestamps d . j . s . legge (Oct 26)
- Re: Wireshark and Timestamps Guy Harris (Oct 26)
- <Possible follow-ups>
- Wireshark and Timestamps d . j . s . legge (Oct 26)
- Re: Wireshark and Timestamps Guy Harris (Oct 26)