tvfbfdb uyvy wrote:
I developing a tool for dumping all the data from a packet interference engine into a log. I have undestood that in pcap_read_packet(), the recvfrom function stores all the data from the socket (related to the file descriptor specified) to a buffer,
Not on the computer on which I'm typing this, it doesn't. On that computer, there is no pcap_read_packet() routine, and pcap_read_bpf() just does a read() from the BPF device.
I.e., what you're describing is the way libpcap works on Linux. Linux is not the only operating system libpcap supports (it's not even the first OS it supported).
On Linux, the recvfrom() call, on a PF_PACKET socket, returns the raw packet data, as well as returning some information in the socket address structure.
and among that data lies the timestamp originated from the driver (correct me please if I'm mistaken so far).
The time stamp is *NOT* returned in the socket address structure. It's fetched with the SIOGSTAMP ioctl call *after* the recvfrom() call.
I must see how EXACTLY the timestamp is converted to a "stuct timeval" in the sock. So far I don't know in what format it comes from (time_t ? long long?). My best lead would be in the recvfrom(), but I cannot find its source code. Please tell me if I should look elsewhere, or even better, how is the receive timestamp of each packet converted from its initial format to the timeval format.
See the Linux kernel source code. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
