Time stamps, their precisions and all that can be quite
confusing. This section will provide you with information about
what's going on while Wireshark processes time stamps.
While packets are captured, each packet is time stamped
as it comes in. These time stamps will be saved to the capture
file, so they also will be available for (later)
analysis.
So where do these time stamps come from? While capturing,
Wireshark gets the time stamps from the libpcap (WinPcap)
library, which in turn gets them from the operating system
kernel. If the capture data is loaded from a capture file,
Wireshark obviously gets the data from that file.
7.4.1. Wireshark internals
The internal format that Wireshark uses to keep a
packet time stamp consists of the date (in days since
1.1.1970) and the time of day (in nanoseconds since
midnight). You can adjust the way Wireshark displays the time
stamp data in the packet list, see the "Time Display Format"
item in the
Section 3.7, “The "View" menu” for details.
While reading or writing capture files, Wireshark
converts the time stamp data between the capture file format
and the internal format as required.
While capturing, Wireshark uses the libpcap (WinPcap)
capture library which supports microsecond resolution. Unless
you are working with specialized capturing hardware, this
resolution should be adequate.
7.4.2. Capture file formats
Every capture file format that Wireshark knows supports
time stamps. The time stamp precision supported by a specific
capture file format differs widely and varies from one second
"0" to one nanosecond "0.123456789". Most file formats store
the time stamps with a fixed precision (e.g. microseconds),
while some file formats are even capable of storing the time
stamp precision itself (whatever the benefit may be).
The common libpcap capture file format that is used by
Wireshark (and a lot of other tools) supports a fixed
microsecond resolution "0.123456" only.
|
Note! |
Writing data into a capture file format that doesn't
provide the capability to store the actual precision will
lead to loss of information. Example: If you load a capture
file with nanosecond resolution and store the capture data
to a libpcap file (with microsecond resolution) Wireshark
obviously must reduce the precision from nanosecond to
microsecond.
|
It's often asked: "Which time stamp accuracy is
provided by Wireshark?". Well, Wireshark doesn't create any
time stamps itself but simply gets them from "somewhere else"
and displays them. So accuracy will depend on the capture
system (operating system, performance, ...) that you use.
Because of this, the above question is difficult to answer in
a general way.
|
Note! |
USB connected network adapters often provide a very
bad time stamp accuracy. The incoming packets have to take
"a long and winding road" to travel through the USB cable
until they actually reach the kernel. As the incoming
packets are time stamped when they are processed by the
kernel, this time stamping mechanism becomes very
inaccurate.
Conclusion: don't use USB connected NIC's when you
need precise time stamp accuracy! (XXX - are there any such
NIC's that generate time stamps on the USB hardware?)
|