Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2019-07-21 14:03:57 +0000

SYN-bit gravatar image

Welcome to the wonderful internals of packet-capturing. When you use Wireshark to capture, the libpcap (or WinPcap/Npcap on windows) is used to read the packets, timestamp them and write them to disk. This means the following things occur in order (this is my interpretation of the internal process to explain your finding, it might not be 100% correct):

  1. packet is received by the network interface card (NIC)
  2. the NIC issues an interupt so the OS knows there is data to collect
  3. the scheduler of the OS will decide when the packet is read from the NIC
  4. the packet is read from the NIC by the OS
  5. the packet is also read by libpcap
  6. libpcap applies the BPF packet filter, if the filter does not match, it will skip the rest of these steps
  7. libpcap copies the packet from kernel-space to user-space
  8. libpcap creates a packet-header with a timestamp
  9. libpcap writes the packet to disk

As there is some time between step 1 and step 4, there is a big chance some more packets arrived in the mean time. Once libpcap gets to read the packets and timestamp them, it has no knowledge about the times the packets were actually received, it can only use the current time as the timestamp for each packet, and therefor the real delta time between the packets is lost and the timestamps in the pcap file are just an approximation.

If you need more accurate timestamps, you will need to use a network card or external device that is specifically made for packet capturing and has the ability to timestamp the packet as soon as it is received.