Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2018-05-12 20:54:10 +0000

Guy Harris gravatar image

It means that if you have:

  • a network adapter that supports time stamping of packet arrival times, so that it will provide a time stamp to the host;
  • a Linux kernel that supports hardware time stamping of packet arrival times and includes a driver for that network adapter that supports hardware time stamping of packet arrival times;
  • a sufficiently recent version of libpcap that, on Linux, supports hardware time stamping of packet arrival times;

Wireshark will provide a UI option that lets you request hardware time stamping of packet arrival times.

Note that the Linux time stamps in question appear to be in units of seconds and fractions of a second that have elapsed since 1970-01-01 00:00:00 TAI, not seconds and fractions of a second that have elapsed since 1970-01-01 00:00:00 UTC, and not "seconds (and fractions of a second) since the Epoch" (which is not to be confused with seconds that have elapsed since 1970-01-01 00:00:00 UTC, because "seconds since the Epoch" is really "seconds since the Epoch, not counting leap seconds").

That's not noted in any fashion in the capture file, so those values get supplied to the OS's standard time conversion routines, meaning they'll be off from UTC by a few seconds, and may be different from times in packets that don't have hardware time stamps, such as packets sent by the machine running Wireshark, as those use the OS clock which is either seconds and fractions of a second that have elapsed since 1970-01-01 00:00:00 UTC or "seconds (and fractions of a second) since the Epoch".