On Thu, Jul 03, 2003 at 11:14:57AM +0530, Naveen Kumar Kaushik wrote: > would anybody tell me the meaning of time stamp of Packets shown in > ethereal GUI .From where the packet get this time.
>From the capture file. > Is this the time of system where ethereal is installed or ..... It depends on the capture file format. Some formats (such as the libpcap format that's Ethereal's native format, and thus the one used in captures done with Ethereal) store the time as "universal time" rather than time in a particular time zone (e.g., the libpcap format uses UNIX time, in seconds since January 1, 1970, 00:00:00 GMT and microseconds since the beginning of that second). Some other formats use local time (which the Ethereal code to read capture files converts to universal time, as that's the time Ethereal uses internally). > That is i would like to know where and how the time stamping is done That depends on the software used to do the capture. In captures done by Ethereal, it's done, on most platforms, by the underlying packet capture mechanism used by libpcap (on HP-UX, and maybe some others, it's done by libpcap). The time stamp reflects the time that the time stamp was applied to the packet, which is usually some time after the packet is received by the host (the amount of time depends on the interrupt latency of the machine and of the driver for the networking card, which might be "batching" interrupts or polling so that there's one interrupt, whether it be a device interrupt or a timer interrupt, per packet, and depends on the length of the code path between the driver and the code that time stamps the packet).
