Re: timestamp in Packet Data

[Sanjay Sundaresan <sunda1 () usc edu>]

Is the approximation because of the fact that NIC card generarates interrupt
only after some number of packets arrive ?. Does device polling affect time
stamp ? At what stage of capture time stamping is done ?


On Sat, Jul 9, 2011 at 6:59 PM, Alokat <mailing () alokat org> wrote:

> On 07/09/11 21:56, Guy Harris wrote:
> > On Jul 9, 2011, at 4:41 PM, Alokat wrote:
> >
> > > I'm wondering what is in the pcap_data (pcap file format) and what is
> not?
> > > Especially the timestamp ... is it just in the packet_header or in the
> > > packet_data too?
> > A pcap file starts with a header.  Following the header are zero or more
> packet records.  A packet record has a header, which includes the packet
> time stamp, followed by packet data, which is just the raw data as supplied
> to libpcap/WinPcap by whatever mechanism it uses.  That mechanism supplies
> the packet time stamp for inclusion in the header, so there is no reason to
> expect that it will also be in the packet data, especially given that no
> link layers would include that time stamp (it's not in an Ethernet header,
> for example), so the time stamp is just in the packet header, not the packet
> data.
> > The time stamp is an approximation of the time when the packet was
> received by the machine that captured it.-
> > This is the tcpdump-workers list.
> > Visit https://cod.sandelman.ca/ to unsubscribe.
> Okay,
>
> Thanks for your answer ...
>
> Regards,
> alokat
> -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe.




-- 
Sanjay Sundaresan
Grad Student
Viterbi School of Engineering, USC
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.