Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: regarding pcap timestamps

From: Guy Harris <guy () alum mit edu>
Date: Wed, 21 Mar 2012 15:15:06 -0700

On Mar 21, 2012, at 12:41 PM, abhinav narain wrote:


   pcap gives the timestamp of a packet using the ioctle call with flag SIOCGSTAMP.


pcap gets the time stamp of a packet by various mechanisms on various operating systems; it uses SIOCGSTAMP on Linux 
*if* it's not using the memory-mapped capture mechanism.

More to the point, pcap gets the time stamp of a packet by mechanisms that return the time in UN*X format (well, on 
Windows it's converted to UN*X format by the driver that WinPcap uses), i.e. seconds and fractions of a second since 
January 1, 1970, 00:00:00 UTC, and the packets are, in most cases, time-stamped by the operating system's networking 
stack at some point in the packet's path up to userland, which could be a point after the packet arrives at the 
networking adapter.


Is it the same timestamp reported by radiotap header


If you're referring to the TSFT value from the radiotap header:

        http://www.radiotap.org/defined-fields/TSFT

no, it is not.  That time stamp is the "value in microseconds of the MAC's 64-bit 802.11 Time Synchronization Function 
timer when the first bit of the MPDU arrived at the MAC."  That's described in IEEE Std 801.11-2007 in section 11.1 
"Synchronization"; that says that the TSF timer is in units of microseconds, but says nothing whatsoever about the time 
base of the timer.

This means that:

        1) The packet time stamp from pcap is a value counting seconds and microseconds since January 1, 1970, 00:00:00 
UTC; the TSF timer could be seconds and microseconds since some arbitrary time in the past.

        2) The packet time stamp is assigned to the packet at some arbitrary point between the point when it arrives at 
the network adapter and the point at which it's queued up for userland to read; the TSF timer value is assigned at the 
point "when the first bit of the MPDU [arrives] at the MAC".

I just did a traffic capture on our 802.11 network, and the first packet has a pcap time stamp of 1332367676.553527000 
seconds since January 1, 1970, 00:00:00 UTC and a TSF timer value of 1958026856435 microseconds, or 1958026.856435 
seconds, since, well, the time base of my machine's Wi-Fi adapter's TSF timer.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: