[tcpdump-workers] Monotonic clock timestamp on packets
Hi.
Has anyone looked into timestamping the captured packets using
clock_gettime(CLOCK_MONOTONIC, ...)?
I'm thinking adding a struct timespec to struct pcap_pkthdr and filling
that in addition to the struct timeval.
For a request-reply situation a monotonic clock is much more reliable than
gettimeofday().
-
typedef struct me_s {
char name[] = { Thomas Habets };
char email[] = { tho...@habets.pp.se };
char kernel[]= { Linux };
char *pgpKey[] = { http://www.habets.pp.se/pubkey.txt; };
char pgp[] = { A8A3 D1DD 4AE0 8467 7FDE 0945 286A E90A AD48 E854 };
char coolcmd[] = { echo '. ./_. ./_'_;. ./_ };
} me_t;
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Monotonic clock timestamp on packets
On May 3, 2010, at 11:29 PM, Thomas Habets wrote: Has anyone looked into timestamping the captured packets using clock_gettime(CLOCK_MONOTONIC, ...)? I'm thinking adding a struct timespec to struct pcap_pkthdr pcap_pkthdr is in a file. You cannot add *ANYTHING* to it without breaking compatibility; you'd have to introduce a new magic number. BTW, note that if you call clock_gettime(), there is *NO* guarantee that the time it returns has anything to do with the time the packe arrived; it tells you the time when it's called, not the time when the packet arrived. and filling that in addition to the struct timeval. For a request-reply situation a monotonic clock is much more reliable than gettimeofday(). The only platforms on which libpcap uses gettimeofday() are: DLPI platforms where the DLPI module doesn't supply the time stamp (e.g., HP-UX); DOS; Septel devices; USB capturing on Linux if you're not using the memory-mapped interface. On all other platforms - i.e., on most of the platforms where libpcap is used - the time stamps are supplied to userland by the kernel, so if you want to use a different timer, you'll have to modify the kernel. (*BSD, Mac OS X, Linux, Solaris, etc.) take a look at the code. I did. See above. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Monotonic clock timestamp on packets
On Tue, 4 May 2010, Guy Harris wrote:
BTW, note that if you call clock_gettime(), there is *NO* guarantee
that the time it returns has anything to do with the time the packe
arrived; it tells you the time when it's called, not the time when the
packet arrived.
Exactly. That's why I asked if anyone has taken a look at it. Because
calling it from the application at pcap_dispatch time would be useless.
Just like calling it from libpcap an arbitrary time too late would be
useless.
So if the underlying systems don't provide a monotonic clock for packet
arrival time then that's that.
take a look at the code.
Huh? I never said this.
-
typedef struct me_s {
char name[] = { Thomas Habets };
char email[] = { tho...@habets.pp.se };
char kernel[]= { Linux };
char *pgpKey[] = { http://www.habets.pp.se/pubkey.txt; };
char pgp[] = { A8A3 D1DD 4AE0 8467 7FDE 0945 286A E90A AD48 E854 };
char coolcmd[] = { echo '. ./_. ./_'_;. ./_ };
} me_t;
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Monotonic clock timestamp on packets
Hello,
Do u want to calculate the time when the packet arrived.
If u want to that time the pkthdr u have the timestructure have the time in
seconds and microseconds.
U can convert the time in seconds normal date-time format using loctime()
api.
Prasanna Kumar.N,
Software Engineer,
IMImobile Plot 770, Rd. 44 Jubilee Hills, Hyderabad - 500033
M +91 916358 T +91 40 2355 5945 - Ext: 220 www.imimobile.com
=
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error, please notify the sender
immediately by e-mail and delete this e-mail from your system. The sender
therefore does not accept liability for any errors or omissions in the
contents of this message, which arise as a result of e-mail transmission.
Please note that any views or opinions presented in this email are solely
those of the author and do not necessarily represent those of the company.
Finally, the recipient should check this email and any attachments for the
presence of viruses. The company accepts no liability for any damage caused
by any attachment with this email.
IMImobile, Plot No:770, Road No : 44, Jubilee Hills, Hyderabad, India,
500033. www.imimobile.com
==
This e-mail message has been scanned for Viruses and Content and cleared by
Symantec Mail Security
-Original Message-
From: tcpdump-workers-ow...@lists.tcpdump.org
[mailto:tcpdump-workers-ow...@lists.tcpdump.org] On Behalf Of Thomas Habets
Sent: Tuesday, May 04, 2010 3:40 PM
To: tcpdump-workers@lists.tcpdump.org
Subject: Re: [tcpdump-workers] Monotonic clock timestamp on packets
On Tue, 4 May 2010, Guy Harris wrote:
BTW, note that if you call clock_gettime(), there is *NO* guarantee
that the time it returns has anything to do with the time the packe
arrived; it tells you the time when it's called, not the time when the
packet arrived.
Exactly. That's why I asked if anyone has taken a look at it. Because
calling it from the application at pcap_dispatch time would be useless.
Just like calling it from libpcap an arbitrary time too late would be
useless.
So if the underlying systems don't provide a monotonic clock for packet
arrival time then that's that.
take a look at the code.
Huh? I never said this.
-
typedef struct me_s {
char name[] = { Thomas Habets };
char email[] = { tho...@habets.pp.se };
char kernel[]= { Linux };
char *pgpKey[] = { http://www.habets.pp.se/pubkey.txt; };
char pgp[] = { A8A3 D1DD 4AE0 8467 7FDE 0945 286A E90A AD48 E854 };
char coolcmd[] = { echo '. ./_. ./_'_;. ./_ };
} me_t;
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Monotonic clock timestamp on packets
On Tue, 4 May 2010, Prasanna Kumar Nelam wrote:
If u want to that time the pkthdr u have the timestructure have the time in
seconds and microseconds.
In wall clock time, yes. The problem is that this breaks when the time is
changed, using NTP or by some other means. You can even end up with a
negative time delta.
-
typedef struct me_s {
char name[] = { Thomas Habets };
char email[] = { tho...@habets.pp.se };
char kernel[]= { Linux };
char *pgpKey[] = { http://www.habets.pp.se/pubkey.txt; };
char pgp[] = { A8A3 D1DD 4AE0 8467 7FDE 0945 286A E90A AD48 E854 };
char coolcmd[] = { echo '. ./_. ./_'_;. ./_ };
} me_t;
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
