![]() ![]() The time stamp will be closer to y than to x. If Wireshark (or any other packet sniffer) is run on the receiver, the time stamp is applied at some time after the entire packet has been received that could involve delays due to packet being queued up, interrupts being "batched", some amount of network-stack processing being done before the packet is time stamped, etc. If Wireshark (or any other packet sniffer!) is run on the sender, the packets will be "wrapped around" within the OS and handed to the capture mechanism the time stamp could be applied before the sender starts transmitting the packet, but the time stamp will be closer to x than to y. (The other exception is HP-UX, where the OS's capture mechanism doesn't time-stamp packets at all, so libpcap does so that gives answers that are somewhat similar to other OSes, but with a potentially even longer delay before the packets are time-stamped.) The main exception is Windows, where WinPcap has to provide its own capture mechanism in the kernel, atop NDIS, but the mechanism behaves very similarly to the mechanisms inside most UN*Xes, and will give similar behavior. ![]() Well, Wireshark doesn't time stamp the packets itself it relies on libpcap to do them and, on almost all operating systems, libpcap doesn't time stamp them itself, either, the OS's packet capture mechanism, as used by libpcap does.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |