On Oct 26, 2009, at 11:50 AM, d.j.s.legge@xxxxxxxxxxxxx wrote:
Thanks for your response. I've captured traffic from both production
and
lab networks and I'm looking at using kNN to cluster traffic types.
Therefore I need to create attributes on which to cluster. One of
these
will be packet (frame) length, the other will be time. The
assumption being
that small packets (in length) have a low packet transmit time.
However I
need to be able to present just transmission time, the time it takes
for
the packet or frame to transit,
Again, what do you mean by "transition the NIC" or "transit"?
If you're trying to, for example, find the time between the point at
which the NIC is told to transmit the packet and the point at which
the last bit of the packet is put onto the network, you can't get that
from any of the packet capture mechanisms that are available to
libpcap/WinPcap, and thus you can't get that from Wireshark. The time
stamps that the capture mechanisms provide to libpcap/WinPcap, and
thus to Wireshark (or any other app using libpcap/WinPcap), are the
time at which the capture mechanism is handed the packet. For
incoming packets, this could be a significant amount of time after the
packet is received by the NIC; for outgoing packets, it's the time at
which the driver or networking stack happens to hand the packet to the
capture mechanism, which is probably before the packet is even put
onto the network.
