When I capture network traffic between two geographically dispersed machines with tcpdump or WIreshark, what are the timestamps mean? Is it time for machine 1 transmitting or time for machine 2 receiving the packet? I would like to get my head around this with some pointers to explanations etc. Thanks in advance.
None of these. It is your (local) machine's time used to capture the traffic. This is my first post on this forum, so I am not sure about posting the links but here it is anyway.
Understanding time stamps in Packet Capture Data (.pcap) files
timestamps are derived from the clock on the machine performing the packet capture
On Linux and most systems where libpcap is used, the timestamps are supplied by the kernel. SunOS 5, AIX, and DOS based systems use the gettimeofday() function instead.
4 Likes