[tcpdump-workers] Monotonic clock timestamp on packets
Hi. Has anyone looked into timestamping the captured packets using clock_gettime(CLOCK_MONOTONIC, ...)? I'm thinking adding a struct timespec to struct pcap_pkthdr and filling that in addition to the struct timeval. For a request-reply situation a monotonic clock is much more reliable than gettimeofday(). - typedef struct me_s { char name[] = { Thomas Habets }; char email[] = { tho...@habets.pp.se }; char kernel[]= { Linux }; char *pgpKey[] = { http://www.habets.pp.se/pubkey.txt; }; char pgp[] = { A8A3 D1DD 4AE0 8467 7FDE 0945 286A E90A AD48 E854 }; char coolcmd[] = { echo '. ./_. ./_'_;. ./_ }; } me_t; - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Monotonic clock timestamp on packets
On May 3, 2010, at 11:29 PM, Thomas Habets wrote: Has anyone looked into timestamping the captured packets using clock_gettime(CLOCK_MONOTONIC, ...)? I'm thinking adding a struct timespec to struct pcap_pkthdr pcap_pkthdr is in a file. You cannot add *ANYTHING* to it without breaking compatibility; you'd have to introduce a new magic number. BTW, note that if you call clock_gettime(), there is *NO* guarantee that the time it returns has anything to do with the time the packe arrived; it tells you the time when it's called, not the time when the packet arrived. and filling that in addition to the struct timeval. For a request-reply situation a monotonic clock is much more reliable than gettimeofday(). The only platforms on which libpcap uses gettimeofday() are: DLPI platforms where the DLPI module doesn't supply the time stamp (e.g., HP-UX); DOS; Septel devices; USB capturing on Linux if you're not using the memory-mapped interface. On all other platforms - i.e., on most of the platforms where libpcap is used - the time stamps are supplied to userland by the kernel, so if you want to use a different timer, you'll have to modify the kernel. (*BSD, Mac OS X, Linux, Solaris, etc.) take a look at the code. I did. See above. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Monotonic clock timestamp on packets
On Tue, 4 May 2010, Guy Harris wrote: BTW, note that if you call clock_gettime(), there is *NO* guarantee that the time it returns has anything to do with the time the packe arrived; it tells you the time when it's called, not the time when the packet arrived. Exactly. That's why I asked if anyone has taken a look at it. Because calling it from the application at pcap_dispatch time would be useless. Just like calling it from libpcap an arbitrary time too late would be useless. So if the underlying systems don't provide a monotonic clock for packet arrival time then that's that. take a look at the code. Huh? I never said this. - typedef struct me_s { char name[] = { Thomas Habets }; char email[] = { tho...@habets.pp.se }; char kernel[]= { Linux }; char *pgpKey[] = { http://www.habets.pp.se/pubkey.txt; }; char pgp[] = { A8A3 D1DD 4AE0 8467 7FDE 0945 286A E90A AD48 E854 }; char coolcmd[] = { echo '. ./_. ./_'_;. ./_ }; } me_t; - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Monotonic clock timestamp on packets
Hello, Do u want to calculate the time when the packet arrived. If u want to that time the pkthdr u have the timestructure have the time in seconds and microseconds. U can convert the time in seconds normal date-time format using loctime() api. Prasanna Kumar.N, Software Engineer, IMImobile Plot 770, Rd. 44 Jubilee Hills, Hyderabad - 500033 M +91 916358 T +91 40 2355 5945 - Ext: 220 www.imimobile.com = This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the sender immediately by e-mail and delete this e-mail from your system. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any attachment with this email. IMImobile, Plot No:770, Road No : 44, Jubilee Hills, Hyderabad, India, 500033. www.imimobile.com == This e-mail message has been scanned for Viruses and Content and cleared by Symantec Mail Security -Original Message- From: tcpdump-workers-ow...@lists.tcpdump.org [mailto:tcpdump-workers-ow...@lists.tcpdump.org] On Behalf Of Thomas Habets Sent: Tuesday, May 04, 2010 3:40 PM To: tcpdump-workers@lists.tcpdump.org Subject: Re: [tcpdump-workers] Monotonic clock timestamp on packets On Tue, 4 May 2010, Guy Harris wrote: BTW, note that if you call clock_gettime(), there is *NO* guarantee that the time it returns has anything to do with the time the packe arrived; it tells you the time when it's called, not the time when the packet arrived. Exactly. That's why I asked if anyone has taken a look at it. Because calling it from the application at pcap_dispatch time would be useless. Just like calling it from libpcap an arbitrary time too late would be useless. So if the underlying systems don't provide a monotonic clock for packet arrival time then that's that. take a look at the code. Huh? I never said this. - typedef struct me_s { char name[] = { Thomas Habets }; char email[] = { tho...@habets.pp.se }; char kernel[]= { Linux }; char *pgpKey[] = { http://www.habets.pp.se/pubkey.txt; }; char pgp[] = { A8A3 D1DD 4AE0 8467 7FDE 0945 286A E90A AD48 E854 }; char coolcmd[] = { echo '. ./_. ./_'_;. ./_ }; } me_t; - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Monotonic clock timestamp on packets
On Tue, 4 May 2010, Prasanna Kumar Nelam wrote: If u want to that time the pkthdr u have the timestructure have the time in seconds and microseconds. In wall clock time, yes. The problem is that this breaks when the time is changed, using NTP or by some other means. You can even end up with a negative time delta. - typedef struct me_s { char name[] = { Thomas Habets }; char email[] = { tho...@habets.pp.se }; char kernel[]= { Linux }; char *pgpKey[] = { http://www.habets.pp.se/pubkey.txt; }; char pgp[] = { A8A3 D1DD 4AE0 8467 7FDE 0945 286A E90A AD48 E854 }; char coolcmd[] = { echo '. ./_. ./_'_;. ./_ }; } me_t; - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.