Actually, I really don't care how arcuate the timestamps are.
What I REALLY want to know is where does libpcap, not tcpdump, get its
timestamp from when reading from a linux interface.
The application that is using libpcap sometimes displays unusual timestamps.
I believe this is caused by the hardware clock and the software clock being set
to different times.
So I go back to my original question. Where does libpcap get its timestamp
from in linux? The hardware clock or the software clock?
Based on what you said below it seems to be the software clock.
Thanks for info.
J.O.
--- On Fri 05/06, Guy Harris [EMAIL PROTECTED] wrote:
From: Guy Harris [mailto: [EMAIL PROTECTED]
To: tcpdump-workers@lists.tcpdump.org
Date: Fri, 06 May 2005 13:09:12 -0700
Subject: Re: [tcpdump-workers] PCAP Timestamp - HWClock or SWClock?
J.O. Leger wrote:br Is the timestamp in pcap_pkthdr from the hardware clock
or the software clock?brbrThe timestamp is from whatever it's from.
:-)brbrIf you're capturing on an interface on a UN*X or Windows (with
WinPcap) brmachine, the time stamp is from the capture mechanism that libpcap
uses. br Those capture mechanisms almost always use a time stamp maintained
by brthe OS, and those are usually the combination ofbrbr 1) a software
clock (in the sense of a value updated periodically by an brinterrupt
handler), giving the low-precision part of the time (probably brin 1/100ths
of a second, maybe higher)brbrandbrbr 2) a hardware time stamp
device of some sort, giving the high-precision brpart of the time.brbrIf
you're capturing from a DAG card from Endace (recent versions of brlibpcap
can be built with support for DAG cards), I suspect the time brstamp might
come from a purely hardware clock.brbrI suspect, however, that you
didn't ask a question the answer to which brtells you what you ultimately
really want to know.brbrIf what you *really* want to know is how accurate
are the time brstamps?, then the answer is if you care enough about that to
ask, they brprobably aren't as accurate as you'd like, becausebrbr1)
The time stamping isn't done at the instant that the first byte, or brthe
last byte, of a packet being received is processed by the network bradapter
hardware - it's done some time after that, at least for non-DAG brcaptures.
The time stamping is done after the host sees the packet. brThat could be
delayed by interrupt latency, polling (i.e., the driver brmight be running
the adapter in a mode where it doesn't interrupt the brhost for every packet,
but where the driver periodically polls the card brto see whether packets
have arrived, so that it gets fewer interrupts brand gets many packets per
interrupt, to reduce overhead), and the code brpath
between the code that initially handles the device or clock brinterrupt and
the code that gives the packet a time stamp.brbr 2) The hardware time
stamp device of some sort might, or might not, be bra very high accuracy
device - in some OSes on newer x86 boxes it might, brfor example, be the
processor's time stamp counter, which doesn't brnecessarily tick at a rate
that corresponds well to high-precision brfractions of a second (I think that
can be an issue with WinPcap when it bruses an internal Windows kernel
routine to read that counter, for example).brbr(There might be other issues
I've missed.)brbrSo if you need, for example, time stamps with microsecond
accuracy, brlibpcap probably won't give it to you if you're not capturing on
a DAG brcard. Even *relative* time stamps - i.e., differences *between* time
brstamps - probably won't have microsecond accuracy, because the various
britems I listed above don't put a constant offset into the
time stamps, brthe offset from reality can vary from time stamp to time
stamp.brbrCapturing with a DAG card might help. I can't speak for the
Endace brpeople on that; you should contact them if you need high-accuracy
time brstamps:brbrhttp://www.endace.com/brbrThere might be other
hardware that you could use, although you'd have to brmodify libpcap to
support it.br-brThis is the tcpdump-workers list.brVisit
https://lists.sandelman.ca/ to unsubscribe.br
___
Join Excite! - http://www.excite.com
The most personalized portal on the Web!
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
