I have found in pcap file of wireshark that some packets overlap in time on the wire. For example certain packet is 1514 bytes long and another packet goes only five micro seconds after him. So on 100Mb/s link this packet should last approximately 120 micro seconds but another packet goes only 5 mikro seconds after the begining of first packet. How is this possible? asked 13 Jun '13, 06:57  micacim |
2 Answers:
Please note that libpcap and WinPcap do the timestamping during capturing and that the timestamp is not added at the time the frame enters or leaves the NIC. But at the time libpcap or WInPcap get to process the packet. It can happen that a few frames enter the NIC and while the host is processing the IRQ to fetch the packets, some more packets come in. Then the OS will read all packets from the buffer on the NIC and so libpcap/WinPcap will not be able to tell the exact time of arrival of the packets. The same goes for sending packets, libpcap/WinPcap can already have timestamped them, even though the packets are still waiting in the NIC's buffer for tranmission. If you want exact timestamps, you will need a capture card and driver where the timestamping is done on the capture card. Riverbed's TurboCap cards can be used for example to accomplish this. answered 13 Jun '13, 11:01  SYN-bit ♦♦ |
On certain switches you can either monitor packets entering/leaving physical interface either packets entering/leaving on specific vlan. If you are mirroring vlan and you did not specify direction then you see same packet when it enters the vlan on switch and when leaving vlan on switch. And yes, switching times are in microseconds so thats probably the case. answered 13 Jun '13, 07:07  klodovic Sorry I didn't say that it was the traffic in one direction already filtered. (13 Jun '13, 10:34) micacim |
Thank you for your response. I suppose I need timestamping on the card, but I measure traffic on 100Mb/s, so can you tell me where I can find a 100Mb/s Ethernet card that supports timestamping on it?