This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to differentiate between Frame.time_epoch vs prism.did.mactime ? MACtime is in microseconds, is time_epoch also a microsecond value ?

asked 16 Sep '14, 12:37

dheryta's gravatar image

dheryta
11225
accept rate: 0%


frame.time_epoch is the packet time stamp from the capture mechanism; it is in units of nanoseconds since January 1, 1970, 00:00:00 UTC (except possibly for leap seconds, but you really don't want to hear me rant about POSIX and leap seconds). It doesn't necessarily have full nanosecond precision; that depends on the precision of the clock from which the time stamp came (which could be in microseconds or even larger fractions of a second).

prism.did.mactime is the lower 32 bits of some microsecond-resolution MAC-layer timer; I suspect it's the timer for the Time Synchronization Function of IEEE 802.11, but I don't know for certain. Unlike frame.time_epoch, it does not represent a date and time.

permanent link

answered 16 Sep '14, 17:37

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

By capture mechanism is it meant that the machine on which capture was initiated or where wireshark is capturing? Also, is mactime dependent on NIC card? Is there any official documentation which covers all possible details of these? Thanks for help.

(16 Sep '14, 18:17) dheryta

The capture mechanism is the mechanism that the program that does the packet capture uses - for example:

  • PF_PACKET sockets (and the rest of the network code path) on Linux
  • BPF on OS X and *BSD and Solaris 11;
  • WinPcap on WIndows;

etc.. What's the difference between "the machine on which capture was initiated" or "the machine ... where Wireshark is capturing"?

mactime is supplied by the NIC, so its meaning, in theory, depends on the NIC and the driver. The NICs and drivers might use the TSFT time stamp, but that timer's absolute value has no significance.

No, there is no official documentation on either of those topics.

(16 Sep '14, 18:46) Guy Harris ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×4
×1
×1

question asked: 16 Sep '14, 12:37

question was seen: 2,262 times

last updated: 16 Sep '14, 18:47

p​o​w​e​r​e​d by O​S​Q​A