ethereal@xxxxxxxxxx wrote:
I have noticed in some of my experiments that the packet timestamp in
Ethereal is not very accurate. For example, when packets are arriving
rapidly, the timestamp in Ethereal is sometimes identical (to the
micro-second) over 10-20 packets.
Accuracy, precision, or resolution?
As LEGO noted, Ethereal just gets its timestamp from libpcap, and
libpcap gets it from the OS (drivers, networking stack, packet capture
mechanism, etc.), so there's nothing Ethereal can do about it.
How the time stamp works is OS dependent, and...
In these particular experiments, I'm running Ethereal on Fedora Core 3
(Linux 2.6) and Redhat 7.2 (Linux 2.4).
...for Linux, there's one issue, on at least some kernels:
http://www.ethereal.com/faq#q9.3
Another issue might be if Linux does "polling", so that, instead of
getting an interrupt per packet, multiple packets are delivered per
clock interrupt, or otherwise arranges that one interrupt be delivered
for a batch of packets, to reduce interrupt-handling overhead. If
that's the case, the time stamps might be the same for multiple packets,
at least to the resolution of the time stamping routine.
Note also that the time stamp on a packet isn't a high-accuracy
measurement of the instant the first bit, or the last bit, of the packet
arrived at the network adapter; there's a delay between the arrival of
that last bit and the interrupt for the packet, and a delay between the
interrupt handling starting and the point in the code path where the
time stamp is attached to the skbuff.
