Re: Absolute arrvial time of packet in wireshark

[Guy Harris <guy () alum mit edu>]

On Jun 27, 2014, at 12:23 AM, Vishnu Bhatt <vishnu.bhatt () aricent com> wrote:

> Thanks for all the replies.
> One more thing I would like to ask is, one thing I've noticed that the last three digits of time shown in Wireshark 
> till nanosecs precision are always zero (for every packet).
>
> For eg. Arrival Time: Oct 23, 2013 23:21:07.388979000 IST.
>
> In the above case also the last three digits in .388979000 are zero, which means microsecs are multiplied with 1000 
> to get the nanosecs.
>
> Can somebody please clarify more on this as to how the nanosecs obtained?

For standard pcap captures, the nanoseconds are obtained by taking the microseconds from the capture file and 
multiplying them by 1000; for nanosecond-resolution pcap captures, they're directly obtained from the capture file.

For pcap-ng captures, they're obtained by scaling the time stamps appropriately.

Ideally, we would keep track of the precision of each time stamp, and not display insignificant trailing zeroes, but 
we're not doing that in all cases; currently, the time stamp precision is per-file, not per-interface or per-packet, 
and for pcap-ng files, which are now the default file format for Wireshark, there is no per-file precision, there's 
just per-interface precision, so we just report the per-file precision as nanoseconds, and calculate the seconds and 
nanoseconds from the raw time stamp values (which aren't in seconds and nanoseconds, they're in a per-interface 
fraction-of-a-second form).

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe