How to differentiate between Frame.time_epoch vs prism.did.mactime ? MACtime is in microseconds, is time_epoch also a microsecond value ? asked 16 Sep '14, 12:37 dheryta |
One Answer:
answered 16 Sep '14, 17:37 Guy Harris ♦♦ |
How to differentiate between Frame.time_epoch vs prism.did.mactime ? MACtime is in microseconds, is time_epoch also a microsecond value ? asked 16 Sep '14, 12:37 dheryta |
One Answer:
answered 16 Sep '14, 17:37 Guy Harris ♦♦ |
By capture mechanism is it meant that the machine on which capture was initiated or where wireshark is capturing? Also, is mactime dependent on NIC card? Is there any official documentation which covers all possible details of these? Thanks for help.
The capture mechanism is the mechanism that the program that does the packet capture uses - for example:
PF_PACKET
sockets (and the rest of the network code path) on Linuxetc.. What's the difference between "the machine on which capture was initiated" or "the machine ... where Wireshark is capturing"?
mactime is supplied by the NIC, so its meaning, in theory, depends on the NIC and the driver. The NICs and drivers might use the TSFT time stamp, but that timer's absolute value has no significance.
No, there is no official documentation on either of those topics.