On Thu, Jul 03, 2003 at 11:14:57AM +0530, Naveen Kumar Kaushik wrote:
> would anybody tell me the meaning of time stamp of Packets shown in
> ethereal GUI .From where the packet get this time.
>From the capture file.
> Is this the time of system where ethereal is installed or .....
It depends on the capture file format. Some formats (such as the
libpcap format that's Ethereal's native format, and thus the one used in
captures done with Ethereal) store the time as "universal time" rather
than time in a particular time zone (e.g., the libpcap format uses UNIX
time, in seconds since January 1, 1970, 00:00:00 GMT and microseconds
since the beginning of that second). Some other formats use local time
(which the Ethereal code to read capture files converts to universal
time, as that's the time Ethereal uses internally).
> That is i would like to know where and how the time stamping is done
That depends on the software used to do the capture.
In captures done by Ethereal, it's done, on most platforms, by the
underlying packet capture mechanism used by libpcap (on HP-UX, and maybe
some others, it's done by libpcap). The time stamp reflects the time
that the time stamp was applied to the packet, which is usually some
time after the packet is received by the host (the amount of time
depends on the interrupt latency of the machine and of the driver for
the networking card, which might be "batching" interrupts or polling so
that there's one interrupt, whether it be a device interrupt or a timer
interrupt, per packet, and depends on the length of the code path
between the driver and the code that time stamps the packet).