Wireshark-users: [Wireshark-users] Wireshark and Timestamps
Date: 26 Oct 2009 18:50:29 +0000
Guy,

Thanks for your response. I've captured traffic from both production and lab networks and I'm looking at using kNN to cluster traffic types. Therefore I need to create attributes on which to cluster. One of these will be packet (frame) length, the other will be time. The assumption being that small packets (in length) have a low packet transmit time. However I need to be able to present just transmission time, the time it takes for the packet or frame to transit, without the time_delta which is the time after that packet/frame and before the start of the next. Can this be done even if it is a manual formula on the data when its imported to Excel?

Thanks

Doug

Message: 8
Date: Mon, 26 Oct 2009 11:03:41 -0700
From: Guy Harris <guy@xxxxxxxxxxxx>
Subject: Re: [Wireshark-users] Wireshark and Timestamps
To: Community support list for Wireshark
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID: <D71A477E-6274-4F9C-992C-9CFBA526403B@xxxxxxxxxxxx>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes


On Oct 25, 2009, at 8:58 AM, d.j.s.legge@xxxxxxxxxxxxx wrote:

Can I please confirm that the timestamps used by Wireshark:

frame_time - This is the actual date/time (as presented by the local computer clock) to Wireshark for stamping e.g. num 1. Apr 23 2009 17:34:49.861864000 num 2. Apr 23 2009 17:34:49.861942000 num 3. Apr
23 2009
17:34:49.861979000

This is the actual date/time (as presented by the clock on the machine doing the capturing, which might or might not be the machine on which you're running Wireshark - somebody else might have captured the traffic into a file on another machine and sent it to you).

frame_time_delta - This is the time gap between the end of frame x and the start of frame y. In example below there is 0.000037 seconds between the end of frame # 2 and the start of frame #3 num 1. 0.000000 num 2.
0.000078
num 3. 0.000037

For the Nth frame in the capture (*NOT* the Nth frame in the display, as the display might be filtered), for N > 1, this is the difference between the frame_time of the Nth frame and the frame_time of the N-1st frame. (For the first frame, it's 0.)

frame_time_relative - This is essentially frame time sigma. That is the cumulative time of all frame (packets) from the first capture at 0.000000 num 1. 0.000000 num 2. 0.000078 num 3. 0.000115

If there's a frame before this frame that's marked as a "time stamp reference", it is the difference between the frame_time of this frame and the frame_time of the "time stamp reference" frame. Otherwise, it is the difference between the frame_time of this frame and the frame_time of the first frame in the capture (so, for the first frame in the capture, it's obviously zero).

The question is how does one confirm the exact frame transport time less the time_delta? I want to be able to measure the exact period of time that it takes a frame to transition the NIC

What do you mean by "transition the NIC"?