tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: timestamp in Packet Data

From: Guy Harris <guy () alum mit edu>
Date: Sat, 9 Jul 2011 14:56:27 -0700

On Jul 9, 2011, at 4:41 PM, Alokat wrote:


I'm wondering what is in the pcap_data (pcap file format) and what is not?
Especially the timestamp ... is it just in the packet_header or in the
packet_data too?


A pcap file starts with a header.  Following the header are zero or more packet records.  A packet record has a header, 
which includes the packet time stamp, followed by packet data, which is just the raw data as supplied to 
libpcap/WinPcap by whatever mechanism it uses.  That mechanism supplies the packet time stamp for inclusion in the 
header, so there is no reason to expect that it will also be in the packet data, especially given that no link layers 
would include that time stamp (it's not in an Ethernet header, for example), so the time stamp is just in the packet 
header, not the packet data.

The time stamp is an approximation of the time when the packet was received by the machine that captured it.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: