Wireshark mailing list archives

Re: Wireshark and Timestamps

From: Guy Harris <guy () alum mit edu>
Date: Mon, 26 Oct 2009 11:03:41 -0700


On Oct 25, 2009, at 8:58 AM, d.j.s.legge () reading ac uk wrote:

Can I please confirm that the timestamps used by Wireshark:

frame_time - This is the actual date/time (as presented by the local
computer clock) to Wireshark for stamping e.g. num 1. Apr 23 2009
17:34:49.861864000 num 2. Apr 23 2009 17:34:49.861942000 num 3. Apr  
23 2009
17:34:49.861979000


This is the actual date/time (as presented by the clock on the machine  
doing the capturing, which might or might not be the machine on which  
you're running Wireshark - somebody else might have captured the  
traffic into a file on another machine and sent it to you).

frame_time_delta - This is the time gap between the end of frame x  
and the
start of frame y. In example below there is 0.000037 seconds between  
the
end of frame # 2 and the start of frame #3 num 1. 0.000000 num 2.  
0.000078
num 3. 0.000037


For the Nth frame in the capture (*NOT* the Nth frame in the display,  
as the display might be filtered), for N > 1, this is the difference  
between the frame_time of the Nth frame and the frame_time of the  
N-1st frame.  (For the first frame, it's 0.)

frame_time_relative - This is essentially frame time sigma. That is  
the
cumulative time of all frame (packets) from the first capture at  
0.000000
num 1. 0.000000 num 2. 0.000078 num 3. 0.000115


If there's a frame before this frame that's marked as a "time stamp  
reference", it is the difference between the frame_time of this frame  
and the frame_time of the "time stamp reference" frame.  Otherwise, it  
is the difference between the frame_time of this frame and the  
frame_time of the first frame in the capture (so, for the first frame  
in the capture, it's obviously zero).

The question is how does one confirm the exact frame transport time  
less
the time_delta? I want to be able to measure the exact period of  
time that
it takes a frame to transition the NIC


What do you mean by "transition the NIC"?
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Wireshark and Timestamps d . j . s . legge (Oct 26)
- Re: Wireshark and Timestamps Guy Harris (Oct 26)
- <Possible follow-ups>
- Wireshark and Timestamps d . j . s . legge (Oct 26)
  - Re: Wireshark and Timestamps Guy Harris (Oct 26)