On Mar 21, 2012, at 12:41 PM, abhinav narain wrote:
> pcap gives the timestamp of a packet using the ioctle call with flag
> SIOCGSTAMP.
pcap gets the time stamp of a packet by various mechanisms on various operating
systems; it uses SIOCGSTAMP on Linux *if* it's not using the memory-mapped
capture mechanism.
More to the point, pcap gets the time stamp of a packet by mechanisms that
return the time in UN*X format (well, on Windows it's converted to UN*X format
by the driver that WinPcap uses), i.e. seconds and fractions of a second since
January 1, 1970, 00:00:00 UTC, and the packets are, in most cases, time-stamped
by the operating system's networking stack at some point in the packet's path
up to userland, which could be a point after the packet arrives at the
networking adapter.
> Is it the same timestamp reported by radiotap header
If you're referring to the TSFT value from the radiotap header:
http://www.radiotap.org/defined-fields/TSFT
no, it is not. That time stamp is the "value in microseconds of the MAC's
64-bit 802.11 Time Synchronization Function timer when the first bit of the
MPDU arrived at the MAC." That's described in IEEE Std 801.11-2007 in section
11.1 "Synchronization"; that says that the TSF timer is in units of
microseconds, but says nothing whatsoever about the time base of the timer.
This means that:
1) The packet time stamp from pcap is a value counting seconds and
microseconds since January 1, 1970, 00:00:00 UTC; the TSF timer could be
seconds and microseconds since some arbitrary time in the past.
2) The packet time stamp is assigned to the packet at some arbitrary
point between the point when it arrives at the network adapter and the point at
which it's queued up for userland to read; the TSF timer value is assigned at
the point "when the first bit of the MPDU [arrives] at the MAC".
I just did a traffic capture on our 802.11 network, and the first packet has a
pcap time stamp of 1332367676.553527000 seconds since January 1, 1970, 00:00:00
UTC and a TSF timer value of 1958026856435 microseconds, or 1958026.856435
seconds, since, well, the time base of my machine's Wi-Fi adapter's TSF timer.
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
