1
votes

I am using Wireshark to capture and analyse the data from the radiotap header and the frame metadata. I would like to know if the epoch time from the frame metadata is the arrival time on the router or arrival time on my device.

I know epoch time is the time in microseconds since Epoch ( 1st January 1970 ). So i am using it as the time my device has captured the packet.

I am making a project that uses the difference between the MAC timestamp ( Stamp given in the router ) and the time my device captured the packet and i am using those two fields to get said difference.

The doubt came from the fact that this difference is always in the interval of 0.25 to 2.75 Microseconds, independent of where my computer was capturing the packets. So i wanted to make sure that:

The MAC Timestamp is a timestamp that the Access Point ( My router ) puts into the packet before sending it out and the Epoch Time is a timestamp my computer puts on the frame metadata when said packet was captured.

Is that correct? If not, how can i determine the time my packet was captured?

Edit: Fixing field name for Epoch time.

1

1 Answers

1
votes

As it turns out, both are the same. The Mac timestamp is part of the Metadata added by the capturing software, as is epoch time and arrival time.

The timestamp that the access point prints into the packet is a on a base-16 and is contained under the frame tab, on fixed paramers on Beacon and Probre Frames. On wireshark, the field is simply labed "Timestamp:".