This wiki has been migrated to https://gitlab.com/wireshark/wireshark/-/wikis/home and is now deprecated. Please use that site instead.

Timestamps

Ethereal just gets its timestamp from libpcap, and libpcap gets it from the OS (drivers, networking stack, packet capture mechanism, etc.), so there's nothing Ethereal can do about it. How the time stamp works is OS dependent.

It's the code in the packet capture mechanism used by libpcap/WinPcap that timestamps packets.

In some UNIXes, that code is in the network drivers; it's higher up in the networking code path in other UNIXes. In Windows, that's done by the WinDump driver.

Note also that the time stamp on a packet isn't a high-accuracy measurement of the instant the first bit, or the last bit, of the packet arrived at the network adapter; there's a delay between the arrival of that last bit and the interrupt for the packet, and a delay between the interrupt handling starting and the point in the code path where the time stamp is attached to the skbuff.

Resolution

It's the resolution of whatever clock is being used. It might not be the "PC clock" because it might not be running on a "PC", either in the sense of machines sold as "personal computers" or in the sense of "IBM-compatible personal computer". Some of those machines might have better high-resolution timers than IBM-compatible PCs do - at least some OSes on more modern IBM-compatible PC's use the RDTSC instruction, if present on the processor, to get higher-precision time stamps.

There's precision and accuracy; a clock with picosecond resolution, set to a time that's 1 1/2 hours off, is very precise and very inaccurate.