Moon Jihyun wrote:
I wonder if 'Arrival Time' is Mac-layer timestamp, or Application-layer
timestamp.
(WinPcap source codes are too complex to see. @.@)
...so the best place to ask would be winpcap-users@xxxxxxxxxxx.
Most capturing done through libpcap/WinPcap uses a capture mechanism in
the OS (on UN*X) or uses WinPcap's driver, which plugs into NDIS (on
Windows), and the time stamping is being done by that code.
This means that the time stamping is done by some piece of code in the
code path between the driver and the code that hands the packet to userland.
That, in turn, means that if you expect the time stamp to be
high-accuracy, your expectations won't be met - it might be
high-precision (although even there, that depends on how the
high-resolution part of the time stamp is generated - if, for example,
the Time Stamp Counter on newer x86's is used, that might not be
counting microseconds or some such unit, it might be counting some unit
close to microseconds but not exactly microseconds).
So the time stamp is, for packets received by the machine running a
libpcap/WinPcap-based application, some time after the packet was
arrived by the network adapter (note that the adapter might not be
configured to interrupt the host on every packet, with the host
periodically polling the adapter, so as to process multiple packets per
interrupt, so "some time after" might be a significant amount of time),
but it will probably be before the packet was received by an application
running on that same machine. (If it's a promiscuous capture, and the
packet was sent to another host - or if the capture isn't being done on
the last network segment over which the packet will travel - there's no
simple relationship between the time stamp and the time at which the
machine to which the packet is being sent received it, much less when
the application *on* that machine received it.)