![]() Note also that the timestamp on a packet isn't a high-accuracy measurement of when the first bit or the last bit of the packet arrived at the network adapter there's a delay between the arrival of that last bit and the interrupt for the packet and a delay between the start of interrupt handling and the point in the code path where the timestamp is attached to the packet. If that's the case, the timestamps might be the same for multiple packets, at least to the resolution of the timestamping routine. This can be because the OS does "polling" or otherwise arranges that one interrupt be delivered for a batch of packets to reduce interrupt-handling overhead. In Windows, with Npcap, timestamping is done by the Npcap driver.Īnother issue might be if the OS delivers multiple packets per interrupt. In some UNIXes that code is in the network drivers it's higher up in the networking code path in other UNIXes. Wireshark just gets its timestamp from libpcap/Npcap, and libpcap/Npcap gets it from the packet capture mechanism it uses Wireshark itself doesn't generate the timestamp so there's nothing Wireshark can do about it.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |