On Feb 5, 2004, at 9:03 AM, Philippe De Neve wrote:
I have a question regarding the time value which ethereal display for
each captured packet.
Is this the time the last byte of the packet arrived or the first
byte?
It's the time that whatever time stamping mechanism time-stamped the
packet provided.
It's closer to the time the last byte of the packet arrived (except for
packets *sent* by the machine running Ethereal, where it's closer to
the time the first byte of the packet was transmitted), but, at least
for captures done by Ethereal, Tethereal, tcpdump, or other
libpcap-using applications on one of the machine's network interfaces,
it's actually the value of the system clock at the time that the packet
was time-stamped, which is *after* the time the last byte of the packet
arrived:
1) the time stamping is typically done at the time the packet is
handed by the driver to whatever mechanism libpcap uses to capture
packets, which means it's some number of instructions after the host
was notified that the packet had arrived;
2) the driver might be doing polling or some other deferred-interrupt
scheme to "batch" packets (so that multiple packets are handled in one
interrupt), which could make the time stamp even later (as the host
isn't notified that the packet has arrived until the interrupt occurs).
I.e., if the difference between the time the first byte arrived and the
last byte arrived makes a difference to you, you have other things to
worry about as well....