Re: Wireshark and Timestamps

[Guy Harris <guy () alum mit edu>]

On Oct 26, 2009, at 11:50 AM, d.j.s.legge () reading ac uk wrote:

> Thanks for your response. I've captured traffic from both production  
> and
> lab networks and I'm looking at using kNN to cluster traffic types.
> Therefore I need to create attributes on which to cluster. One of  
> these
> will be packet (frame) length, the other will be time. The  
> assumption being
> that small packets (in length) have a low packet transmit time.  
> However I
> need to be able to present just transmission time, the time it takes  
> for
> the packet or frame to transit,

Again, what do you mean by "transition the NIC" or "transit"?

If you're trying to, for example, find the time between the point at  
which the NIC is told to transmit the packet and the point at which  
the last bit of the packet is put onto the network, you can't get that  
from any of the packet capture mechanisms that are available to  
libpcap/WinPcap, and thus you can't get that from Wireshark.  The time  
stamps that the capture mechanisms provide to libpcap/WinPcap, and  
thus to Wireshark (or any other app using libpcap/WinPcap), are the  
time at which the capture mechanism is handed the packet.  For  
incoming packets, this could be a significant amount of time after the  
packet is received by the NIC; for outgoing packets, it's the time at  
which the driver or networking stack happens to hand the packet to the  
capture mechanism, which is probably before the packet is even put  
onto the network.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe