Is the approximation because of the fact that NIC card generarates interrupt only after some number of packets arrive ?. Does device polling affect time stamp ? At what stage of capture time stamping is done ?
On Sat, Jul 9, 2011 at 6:59 PM, Alokat <mail...@alokat.org> wrote: > On 07/09/11 21:56, Guy Harris wrote: > > On Jul 9, 2011, at 4:41 PM, Alokat wrote: > > > >> I'm wondering what is in the pcap_data (pcap file format) and what is > not? > >> Especially the timestamp ... is it just in the packet_header or in the > >> packet_data too? > > A pcap file starts with a header. Following the header are zero or more > packet records. A packet record has a header, which includes the packet > time stamp, followed by packet data, which is just the raw data as supplied > to libpcap/WinPcap by whatever mechanism it uses. That mechanism supplies > the packet time stamp for inclusion in the header, so there is no reason to > expect that it will also be in the packet data, especially given that no > link layers would include that time stamp (it's not in an Ethernet header, > for example), so the time stamp is just in the packet header, not the packet > data. > > > > The time stamp is an approximation of the time when the packet was > received by the machine that captured it.- > > This is the tcpdump-workers list. > > Visit https://cod.sandelman.ca/ to unsubscribe. > Okay, > > Thanks for your answer ... > > Regards, > alokat > - > This is the tcpdump-workers list. > Visit https://cod.sandelman.ca/ to unsubscribe. > -- Sanjay Sundaresan Grad Student Viterbi School of Engineering, USC - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
