Evaluate and Clarify the Unit of ts_diff in TCP Timestamp Calculations

[biandratti]

The current implementation contains a TODO comment indicating uncertainty about whether the value ts_diff (derived from TCP timestamp values) is in nanoseconds:

// TODO: check if ts_diff is in nanoseconds
let ts_diff = (ts_val.saturating_sub(last_syn_data.ts1) / 1000000) as u64;

The code calculates ts_diff by subtracting two TCP timestamp values (ts_val and last_syn_data.ts1) and dividing the difference by 1000000. However, it's unclear whether this division is correct or appropriate for determining the time difference.

Problem Statement

• Uncertainty in Units: The TCP Timestamp Option (TSval) value increases based on the sender's clock frequency but does not inherently define its unit (e.g., milliseconds, microseconds, or nanoseconds). Dividing the timestamp difference (ts_val - last_syn_data.ts1) by 1000000 assumes that the timestamps are in nanoseconds, which may not be correct.
• Impact on Accuracy: Incorrect assumptions about the timestamp unit can lead to inaccurate calculations of frequency (ffreq) and uptime. This may affect the validity of results, especially for systems or devices using different TCP timestamp scaling factors.

Evaluate with original implementation https://github.com/p0f/p0f/blob/master/fp_tcp.c