[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wireshark-users
Subject:    Re: [Wireshark-users] internal time-function
From:       Guy Harris <guy () alum ! mit ! edu>
Date:       2006-10-30 18:24:31
Message-ID: 4546435F.1010308 () alum ! mit ! edu
[Download RAW message or body]

Steffen Röttig wrote:

> i have a little question about the internal work.
> wireshark can choose about 4 time-views. i think as resource for the 
> views is the timestruct in the ethernet-header. or not?

Given that there is no time stamp in the Ethernet header (that header 
has only a destination MAC address, a source MAC address, and a 
type/length field), the answer is "not".

> are the function for the views wireshark-functions or is it a feature of 
> winpcap?
> 
> i.e. does wireshark gets the packet from winpcap,

Wireshark doesn't get the packet from WinPcap on the machine on which 
I'm typing this, because it doesn't run Windows; it gets it from libpcap.

Libpcap and WinPcap, in turn, get the packet from some mechanism that's 
part of the OS (either they do this purely from userland in UN*X, or in 
the kernel-mode WinPcap driver in Windows).  ("WinPcap" here refers to 
the wpcap.dll library, the packet.dll library, and the kernel-mode 
WinPcap driver.)

They also get the time stamp, in most cases, from the same mechanism in 
UN*X, or from some kernel mechanism in Windows.  (In HP-UX, the kernel 
mechanism doesn't supply a time stamp, so libpcap just directly calls 
gettimeofday() to get the current time - which means that the time might 
be more inaccurate.)

Libpcap and WinPcap supply to the caller

	1) a structure that contains the packet time stamp, the length of the 
packet as received by the host, and the amount of the packet data that 
was supplied to libpcap/WinPcap (because you can request that it supply 
no more than N bytes of packet data, if you're only interested in, for 
example, headers up to the TCP layer);

	2) the raw packet data.

Wireshark, like tcpdump/WinDump and other applications using 
libpcap/WinPcap, get the packet time stamps from that structure.

That time stamp is an absolute time. For the "time of day" and "date and 
time of day" displays, Wireshark just uses that time (and localtime() to 
convert the seconds-resolution part of that time from "seconds since 
January 1, 1970, 00:00:00 GMT" to a local time and date, specified as 
year/month/day/hour/minute/second).  For the relative time, it subtracts 
the time stamp of the first packet to get a relative time in seconds and 
microseconds (or nanoseconds, if it's reading a capture file with 
nanosecond resolution); for the delta time, it subtracts the time stamp 
of the previous packet (and just uses 0 for the first packet).

[prev in list] [next in list] [prev in thread] [next in thread]