This wiki has been migrated to https://gitlab.com/wireshark/wireshark/-/wikis/home and is now deprecated. Please use that site instead.
Differences between revisions 9 and 10
Revision 9 as of 2006-06-05 03:19:28
Size: 2195
Editor: localhost
Comment:
Revision 10 as of 2007-08-01 15:24:32
Size: 2190
Editor: gw
Comment:
Deletions are marked like this. Additions are marked like this.
Line 11: Line 11:
Line 17: Line 16:
Line 20: Line 18:
Please put some hard facts here ...  Please put some hard facts here ...

Timestamps

Wireshark just gets its timestamp from libpcap/WinPcap, and libpcap/WinPcap gets it from the packet capture mechanism it uses; Wireshark itself doesn't generate the time stamp, so there's nothing Wireshark can do about it.

How the time stamp works is OS dependent. In some UNIXes, that code is in the network drivers; it's higher up in the networking code path in other UNIXes. In Windows, with WinPcap, it's done by the WinPcap driver.

Another issue might be if the OS does "polling", so that, instead of getting an interrupt per packet, multiple packets are delivered per clock interrupt, or otherwise arranges that one interrupt be delivered for a batch of packets, to reduce interrupt-handling overhead. If that's the case, the time stamps might be the same for multiple packets, at least to the resolution of the time stamping routine.

Note also that the time stamp on a packet isn't a high-accuracy measurement of the instant the first bit, or the last bit, of the packet arrived at the network adapter; there's a delay between the arrival of that last bit and the interrupt for the packet, and a delay between the interrupt handling starting and the point in the code path where the time stamp is attached to the packet.

Resolution

It's the resolution of whatever clock is being used. It might not be the "PC clock" because it might not be running on a "PC", either in the sense of machines sold as "personal computers" or in the sense of "IBM-compatible personal computer". Some of those machines might have better high-resolution timers than IBM-compatible PCs do - at least some OSes on more modern IBM-compatible PC's use the RDTSC instruction, if present on the processor, to get higher-precision time stamps.

There's precision and accuracy; a clock with picosecond resolution, set to a time that's 1 1/2 hours off, is very precise and very inaccurate.

Discussion

That's the usualy discussion about this might me / this could be / this will be / and so on.

Please put some hard facts here ...

Just simply add measurement values (and the hard facts on the environment) on a specific platform so others can participate ...

Timestamps (last edited 2008-04-12 17:51:23 by localhost)