3
votes

I am trying to parse MAC timestamp fields of radiotap headers of 802.11 packets captured on monitor mode.

TSFT field of radiotap header is 64bit value in microseconds. Raw hex value is highlighted below.

enter image description here

The MAC timestamp value is represented in decimal by Wireshark

enter image description here

This decimal value is decimal value of 2b1c20cb00000000.

What I'm trying to do is get the time difference between two frames using hex value in radiotap header MAC timestamp field.

enter image description here

For example:

frame #2 has decimal value of 3106049021945315329 (2b1ae72100000001) and

frame #3 has 3106066889009266689 (2b1af76100000001).

subtracting this values gives 1AC47FFFFF5C1. And assuming this is in microseconds the value is equal to 470900214.330817 seconds.

What is the process following this steps to get time difference of 0.000071 seconds by using the values in MAC timestamp field of radiotap header

Thank you

1

1 Answers

1
votes

The "MAC timestamp" field in the radiotap header is the value in microseconds of the MAC's 64-bit 802.11 Time Synchronization Function timer when the first bit of the MPDU arrived at the MAC. This is taken directly from the MAC via the device driver for the particular WiFi card you have, and may or may not be accurate or correct, depending on the driver implementation.

The "Time" column displays the elapsed time since the first frame was received. This is calculated by libpcap using the system clock on the host and is the time the frame was first seen by libpcap.

Both of these time values are computed using different clocks, so cannot be directly compared. If the MAC timestamp field is correct and accurate (which yours appears not to be - maybe a driver issue) then it should be used as the reference time, and the libpcap time should only be used as a rough guide.