Ethereal-users: Re: Re: [Ethereal-users] how to understand the capture time!

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Huang Qian <huangq@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 14 Jun 2002 10:26:49 +0800
Hi,Dear Guy Harris,

Thanks for your great help.

However, I still don't understand the capture time Ethereal display. for example, when I capture the icmp packet produced by "ping host B" on host A, it shows the same capture time of echo request and echo reply, as the following:

1  0.000000  A   B   ICMP  Echo(ping) request
     Arrival Time: Jun 14,2002 12:00:00.123456789
     ...
2  0.000000  B   A   ICMP  Echo(ping) reply
     Arrival Time: Jun 14,2002 12:00:00.123456789
     ...

I wonder why the set of icmp packets arrive at the same time? since A ping B, and B returns a echo reply, it shouldn't produce at the same time! 

More ever, I captured the "A ping B" echo request packet on host B, and I want to compute the transmit time for the packet.(A and B have been synchronized by NTP time server)
But 
   transmit = "the arrvial time on host B" subtract "the time of the echo request produced on host A"  
the transmit seems much different from the "round-trip time"/2 displayed by "ping", I mean, it seems they are not in the same quantity scale. So I feel confused. Would you like to give me some suggestion?

Thanks again!

Best Regards!

Qian Huang
Intern Student
Bell Labs Research China

Email:huangq@xxxxxxxxxxxxxxxxxxxxxxxxxx
http://blrc.edu.cn


========Original Messages==========

>On Thu, Jun 13, 2002 at 05:32:41PM +0800, Huang Qian wrote:
>> The webpages about pcap says that the "pcap_pkthdr" structure contains
>> the information about when the packet was sniffed, that is:
>>    struct pcap_pkthdr{
>>                        struct timeval ts;
>>                        bpf_u_int32 caplen;
>>                        bpf_u_int32 len;
>>                      } 
>> I wonder whether the "ts" is just the time when the pcap captured the
>> packet?
>
>What "ts" means depends on the operating system on which you're
>capturing packets.
>
>On most operating systems, it's the time at which the driver for the
>network interface gave the packet to the OS's packet capture mechanism;
>on some OSes where the operating system doesn't itself put a time stamp
>on the packet, it's the time at which the libpcap library read the
>packet from the OS kernel.
>
>I.e., the time isn't necessarily the time when the packet arrived on the
>machine running tcpdump/Ethereal/whatever sniffer program you're using -
>it may be a later time (although it probably won't be much later).
>
>> Whether Ethereal use this data for the time when a packet was
>> captured?
>
>Yes, Ethereal does.
>
>> Ethereal display the captured packets like:
>> Frame 1
>>       Arrival time: Jun 13, 2002 12:00:00.1234546789
>>      ...
>> 
>
>> How Ethereal gets this arrival time? from the pcap_pkthdr mentioned
>> upper?
>
>Yes.
>
>> the datum "123456789" come directly from the "tv_usec" part in
>> the timeval strcuture?
>
>Yes.
>
>Note that not all OSes necessarily provide high-precision time stamps;
>they might, for example, provide time stamps with 1 millisecond or 10
>millisecond resolution.
>
>_______________________________________________
>Ethereal-users mailing list
>Ethereal-users@xxxxxxxxxxxx
>http://www.ethereal.com/mailman/listinfo/ethereal-users