I've been capturing a filtered view of the traffic between my router and
the cable modem. I'm seeing some interesting stuff as at the MAC level
as all the cable modems for blocks around are on what amounts to a common
ethernet segment. However, I can't seem to figure out why I see what
looks like 2 clocks being used for "Arrival Time" - one that looks correct and
another that is running 32 hours and 15 minutes behind! I'm assuming the
time is from the system clock of the machine doing the capture in all cases.
If not, is there a time stamp in the link level protocol that is being
used? I don't see a correlation between the right/wrong time and any of the
following: source MAC or IP, destination MAC or IP, protocol (but I filtered
out ARPs). I know all the addresses could be spoofed so maybe the time stamp
is the only fingerprint I can trust.
The configuration is Ethereal 0.9.2, WinPcap 2.3, Windows 95B, and a 3C905
lan card. The link in question is between a Scientific Atlanta DPX100 cable
modem (10M) and a D-Link DI-713P home router (100M) - the tap is made using
a LinkSys 10/100 5-port hub (not switch). I've attached a short sample of
clock behavior I'm seeing, this time using ARPs. In this case the first
packet was from the "wrong" clock so the delta is positive rather than
negative but still the same magnitude.
Mike Milner
Attachment:
t5
Description: Binary data