This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark - Frame.time_epoch vs prism.did.mactime

0

How to differentiate between Frame.time_epoch vs prism.did.mactime ? MACtime is in microseconds, is time_epoch also a microsecond value ?

asked 16 Sep '14, 12:37

dheryta's gravatar image

dheryta
11225
accept rate: 0%


One Answer:

1

frame.time_epoch is the packet time stamp from the capture mechanism; it is in units of nanoseconds since January 1, 1970, 00:00:00 UTC (except possibly for leap seconds, but you really don't want to hear me rant about POSIX and leap seconds). It doesn't necessarily have full nanosecond precision; that depends on the precision of the clock from which the time stamp came (which could be in microseconds or even larger fractions of a second).

prism.did.mactime is the lower 32 bits of some microsecond-resolution MAC-layer timer; I suspect it's the timer for the Time Synchronization Function of IEEE 802.11, but I don't know for certain. Unlike frame.time_epoch, it does not represent a date and time.

answered 16 Sep '14, 17:37

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

By capture mechanism is it meant that the machine on which capture was initiated or where wireshark is capturing? Also, is mactime dependent on NIC card? Is there any official documentation which covers all possible details of these? Thanks for help.

(16 Sep '14, 18:17) dheryta

The capture mechanism is the mechanism that the program that does the packet capture uses - for example:

  • PF_PACKET sockets (and the rest of the network code path) on Linux
  • BPF on OS X and *BSD and Solaris 11;
  • WinPcap on WIndows;

etc.. What's the difference between "the machine on which capture was initiated" or "the machine ... where Wireshark is capturing"?

mactime is supplied by the NIC, so its meaning, in theory, depends on the NIC and the driver. The NICs and drivers might use the TSFT time stamp, but that timer's absolute value has no significance.

No, there is no official documentation on either of those topics.

(16 Sep '14, 18:46) Guy Harris ♦♦