Wireshark はいつパケットにタイムスタンプを付けますか? フレームを完全に受信した後?または、すでにフレームの最初のバイトを受信していますか? Wireshark のタイムスタンプに関する次の説明を読みましたが、このテキストには「パケットがキャプチャされている間、各パケットには受信時にタイム スタンプが付けられます」としか記載されていません。
次のシナリオと正確な OS 時刻について考えてみましょう。
送信者 ----> Wireshark ----> 受信者
送信者は、時間 x でフレームの送信を開始します。フレームは時間 y (y = 送信開始 x + フレーム長 / リンク速度) で受信機で完全に受信されます。キャプチャされたフレームは、x に近いタイムスタンプで Wireshark に表示されますか、それとも y になりますか?
敬具、ジョナス
Well, Wireshark doesn't time stamp the packets itself; it relies on libpcap to do them and, on almost all operating systems, libpcap doesn't time stamp them itself, either, the OS's packet capture mechanism, as used by libpcap does. The main exception is Windows, where WinPcap has to provide its own capture mechanism in the kernel, atop NDIS, but the mechanism behaves very similarly to the mechanisms inside most UN*Xes, and will give similar behavior. (The other exception is HP-UX, where the OS's capture mechanism doesn't time-stamp packets at all, so libpcap does so; that gives answers that are somewhat similar to other OSes, but with a potentially even longer delay before the packets are time-stamped.)
If Wireshark (or any other packet sniffer!) is run on the sender, the packets will be "wrapped around" within the OS and handed to the capture mechanism; the time stamp could be applied before the sender starts transmitting the packet, but the time stamp will be closer to x than to y.
If Wireshark (or any other packet sniffer) is run on the receiver, the time stamp is applied at some time after the entire packet has been received; that could involve delays due to packet being queued up, interrupts being "batched", some amount of network-stack processing being done before the packet is time stamped, etc.. The time stamp will be closer to y than to x.
If Wireshark (or any other packet sniffer) is being run on some third machine, passively sniffing a network, the time stamp will probably be closer to y than to x, but there's a difference due to the receiver and the sniffer being separate machines that might see the packet at different times, have different code paths for receiving, etc..