Ethereal-users: Re: [Ethereal-users] Can I trust the timestamps

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Thu, 15 Sep 2005 23:19:01 -0700
Tomas Brännlund (KI/EAB) wrote:


We made some tests with a mobile terminal connected to a PC via USB.
The mobile terminal was connected to internet. We ran ping tests from
the computer and at the same time we logged the USB port with Ethereal.
We ran the Ping tests from an MS-DOS window. When we compared the Ping
result presented on the MS-DOS window with that logged with Ethereal
there was a difference. It seemed like Ethereal truncated the result
down to multiples of 10 milliseconds (rather: when taking the difference
between ICMP request and response the difference was always multiples of
10ms).
Ethereal doesn't truncate what it gets from libpcap/WinPcap; libpcap on UN*Xes doesn't truncate anything, either, and, as far as I know, the user-mode portion of WinPcap doesn't truncate what it gets from WinPcap's driver.
I don't think the WinPcap driver truncates time stamps, but the time stamps it gets from the OS might be truncated based on what the OS supplies.
You'd need to ask the WinPcap developers where their drive gets its time stamps.