I have a doubt regarding the frame time. I was using -e frame.time field in tshark inorder to capture time stamp but i was confused about the frame time, it this the time when packet was generated? or it is the arrival time of the packet? Can we calculate the router timestamp? because for example if a packet was sent by server to router at 6:00 AM but the packet arrived to the router at 6:02 AM, i want to calculate router time(i.e.,6:01 AM time), till now i am assuming frame.time is the packet arrival time, please correct me if i was wrong. If wrong is there any filter in tshark to find the router timestamp?
Thanks in advance :)
asked 24 May '17, 15:33
A quick search turns up a lot of information:
In short: packets are stamped (somewhere near) packet arrival time. If you want 'Router time' as you call it, you'll need capture and time stamping in the router itself.
BTW: A retention time of 2 minutes is ridiculously long. Microseconds is more likely.
answered 24 May '17, 21:59