On Tue, Jul 23, 2002 at 03:19:54PM -0600, Gabe Anderson wrote: > I have some questions regarding tcpdump timestamps. When exactly does > tcpdump stamp the arriving and leaving packets?
Tcpdump doesn't timestamp packets, it just gets a timestamp from libpcap, and libpcap, in turn, just gets it from the OS. The answer to the question would depend on the OS... > Given a scenario, where I was > sending data out over an encrypted channel (say, ipsec), would timestamps > detected over device ipsec0 correspond to the packets arrival after being > decrypted, or do the stamps correlate to the eth0 timestamps. ...and, as you said "eth0", the OS is probably Linux. If you sniff on "eth0", the time stamps on incoming packets come, I think, from either the driver or low-level code in the Linux networking stack; I don't remember where outgoing packets are time stamped. I don't know when it'd happen on "ipsec0"; you might want to ask the linux-net mailing list about that. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
