First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

What is the difference between packet Inter arrival time and time delta from previous captured frame.

Hi,

On my packet capture on Wireshark I have a column called "time delta from previous captured frame" as well as "time delta from previous displayed frame".

1- What is the difference between these two?

2- Is one of them the same as packet inter arrival time?

3- I am actually trying to find the packet inter arrival time so can I use one of the delta columns for this?

4- If not, how do I find the IAT in Wireshark?

Thanks

WNuz's avatar
3
WNuz
asked 2021-09-10 01:57:19 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

0

On my packet capture on Wireshark I have a column called "time delta from previous captured frame" as well as "time delta from previous displayed frame".

1- What is the difference between these two?

If you don't have a display filter limiting which packets appear in the packet list, there is no difference.

If you do have a display filter limiting which packets appear in the packet list then:

  • the "time delta from previous captured frame" is the difference in time stamps between the packet in question and the packet before it in the capture, even if that packet isn't currently being displayed because it didn't match the display filter;
  • the "time delta from previous displayed frame" is the difference in time stamps between the packet in question and the packet before it in the packet list.

2- Is one of them the same as packet inter arrival time?

That depends on how the packet interarrival time is defined and how the capture was done.

If:

  • the packet interarrival time for a given network interface is defined as the time difference between packets that arrive on that interface;
  • the capture was done without any capture filter, and no packets were dropped by the adapter or by any part of the packet capture mechanism, so that every single packet that arrived on the interface is in the capture;

then the "time delta from previous captured frame" would be an approximation of the packet interarrival time for the packet and the previous packet.

I say "approximation" because, in most cases, the time stamps come from the operating system, which means that they aren't necessarily the exact arrival time of the packet on the network interface - there may be various delays due to interrupt latency, packet batching (so that multiple packets are picked up in response to a single interrupt), time delays between the point in time at which the host is told that the packets have arrived and the time at which it time-stamps the packet, etc..

Guy Harris's avatar
19.9k
Guy Harris
answered 2021-09-10 07:33:56 +0000
edit flag offensive 0 remove flag delete link
more

Comments

So if I am using a display filter limiting which packets appear in the packet list, should I still use "time delta from previous captured frame" for the inter-arrival time?

WNuz's avatar WNuz (2021-09-14 01:34:07 +0000) edit
more
  • delete
add a comment see more comments
0
  1. Time delta from previous captured frame may differ from previous displayed frame when a display filter is applied, whereby the display filter hides an intermediate frame from the list.
  2. The time delta from previous captured frame could be seen as the packet inter arrival time, as far as the time stamping accuracy from the capturing entity goes. Usually the captured frame travels up into the network stack a bit before being timestamped, so it might deviate a little from the on the wire time.
  3. As per answer 2, the time delta from previous captured frame is usually sufficient.
  4. Time delta from previous captured frame is the best Wireshark can do, for timing accuracy it depends on the OS networking stack doing the time stamping , or the time stamping hardware capture device, if used.
Jaap's avatar
13.7k
Jaap
answered 2021-09-10 07:08:49 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer