Wireshark-users: Re: [Wireshark-users] Capturing and merging files from different machines
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 18 Jun 2008 15:16:30 -0700

On Jun 18, 2008, at 2:13 PM, Chris Swinney wrote:
I may have miss read the merged file. I'm not sure if the merged file is totally correct as I seem to be getting responses before requests, but they DO appear to be in chronological order. I'm not sure at which point the time stamp is applied to the packet and if the sniffing PC's have any effect on this - I think not. I assume that the time stamp is applied to the header by whatever device sent the packet, not by a device listening.
No. The time stamps Wireshark gets from libpcap/WinPcap when it's capturing are the time stamps libpcap/the user-mode WinPcap code get from the OS's native capture mechanism/the WinPcap driver; from the point of view of libpcap/WinPcap, packets are time-stamped when they are *received*, not when they are *sent*.
Note also that the time stamp value comes from the clock's value at the time the time-stamping code runs; that could be after the packet is received by the network adapter or provided to the network adapter by the host. See the page Sake Blok mentioned in his message: 

	http://wiki.wireshark.org/Timestamps