On May 3, 2010, at 11:29 PM, Thomas Habets wrote:
> Has anyone looked into timestamping the captured packets using
> clock_gettime(CLOCK_MONOTONIC, ...)?
>
> I'm thinking adding a struct timespec to struct pcap_pkthdr
pcap_pkthdr is in a file. You cannot add *ANYTHING* to it without breaking
compatibility; you'd have to introduce a new magic number.
BTW, note that if you call clock_gettime(), there is *NO* guarantee that the
time it returns has anything to do with the time the packe arrived; it tells
you the time when it's called, not the time when the packet arrived.
> and filling that in addition to the struct timeval.
>
> For a request-reply situation a monotonic clock is much more reliable than
> gettimeofday().
The only platforms on which libpcap uses gettimeofday() are:
DLPI platforms where the DLPI module doesn't supply the time stamp
(e.g., HP-UX);
DOS;
Septel devices;
USB capturing on Linux if you're not using the memory-mapped interface.
On all other platforms - i.e., on most of the platforms where libpcap is used -
the time stamps are supplied to userland by the kernel, so if you want to use a
different timer, you'll have to modify the kernel. (*BSD, Mac OS X, Linux,
Solaris, etc.)
> take a look at the code.
I did. See above.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
