On Jun 18, 2008, at 2:13 PM, Chris Swinney wrote:
I may have miss read the merged file. I'm not sure if the merged
file is totally correct as I seem to be getting responses before
requests, but they DO appear to be in chronological order. I'm not
sure at which point the time stamp is applied to the packet and if
the sniffing PC's have any effect on this - I think not. I assume
that the time stamp is applied to the header by whatever device sent
the packet, not by a device listening.
No. The time stamps Wireshark gets from libpcap/WinPcap when it's
capturing are the time stamps libpcap/the user-mode WinPcap code get
from the OS's native capture mechanism/the WinPcap driver; from the
point of view of libpcap/WinPcap, packets are time-stamped when they
are *received*, not when they are *sent*.
Note also that the time stamp value comes from the clock's value at
the time the time-stamping code runs; that could be after the packet
is received by the network adapter or provided to the network adapter
by the host. See the page Sake Blok mentioned in his message:
http://wiki.wireshark.org/Timestamps