On Nov 24, 2012, at 9:50 PM, abhinav narain <abhinavnarai...@gmail.com> wrote:
> hi,
> I am looking for timestamp provided by pcap header and later used by
> tcpdump.
> Seems like some of wireless drivers do not provide the mac tsf timestamp.
> I can't figure out the timestamp meaning in pcap.
> Its surely not the time when packet arrived at the driver (referring to
> tsft).
It's the time that whatever part of the networking stack, including the packet
capture mechanism (BPF, PF_PACKET sockets, WinPcap driver, DLPI, etc.), or
possibly the network adapter itself, decides to time-stamp the packet.
> Looking at old pcap (not using mmap), it seems this is got by ioctl system,
> which is a deprecated mechanism ( I suppose) and not many drivers provide
> ioctl implementation.
Not all ioctls go to the driver.
In the case of Linux, packets come from skbuffs, and skbuffs get time-stamped
at various points in the receive path. (Yes, I'm too lazy to go looking for
them. :-)) When a packet is read from a PF_PACKET socket by a recvmsg() call,
the packet's time stamp is copied to the socket's time stamp, and the ioctl
returns the time stamp from the socket, so it returns the time stamp from the
last packet read. (At least as of the 3.0.4 kernel, that's done in a
sock_recv_ts_and_drops() call in packet_recvmsg(); it might be different in
other kernel versions.)
> On the other hand, I don't have any idea how the mmap code is getting the
> packet timestamp !
> Can someone throw light on this ?
See tpacket_rcv(). It does, for example (again, 3.0.4 kernel, which is the
last version I downloaded to my Linux kernel source pile):
switch (po->tp_version) {
case TPACKET_V1:
...
if ((po->tp_tstamp & SOF_TIMESTAMPING_SYS_HARDWARE)
&& shhwtstamps->syststamp.tv64)
tv = ktime_to_timeval(shhwtstamps->syststamp);
else if ((po->tp_tstamp & SOF_TIMESTAMPING_RAW_HARDWARE)
&& shhwtstamps->hwtstamp.tv64)
tv = ktime_to_timeval(shhwtstamps->hwtstamp);
else if (skb->tstamp.tv64)
tv = ktime_to_timeval(skb->tstamp);
else
do_gettimeofday(&tv);
h.h1->tp_sec = tv.tv_sec;
h.h1->tp_usec = tv.tv_usec;
hdrlen = sizeof(*h.h1);
break;
case TPACKET_V2:
...
if ((po->tp_tstamp & SOF_TIMESTAMPING_SYS_HARDWARE)
&& shhwtstamps->syststamp.tv64)
ts = ktime_to_timespec(shhwtstamps->syststamp);
else if ((po->tp_tstamp & SOF_TIMESTAMPING_RAW_HARDWARE)
&& shhwtstamps->hwtstamp.tv64)
ts = ktime_to_timespec(shhwtstamps->hwtstamp);
else if (skb->tstamp.tv64)
ts = ktime_to_timespec(skb->tstamp);
else
getnstimeofday(&ts);
h.h2->tp_sec = ts.tv_sec;
h.h2->tp_nsec = ts.tv_nsec;
...
break;
default:
BUG();
}
which is processing an incoming skbuff and copying the appropriate time stamp
from the skbuff to the memory-mapped ring buffer (or, if there is no time
stamp, setting it to the current time).
> The ioctl could be traced to another function call on struct sock *, but I
> have not been able to comprehend the meaning of the timestamp provided.
The meaning is "some time more or less related to the time of arrival of the
packet, but, unless it's a hardware time stamp, don't rely on it being set to a
time that's as close to the actual arrival time of the packet as you might
like". :-) For example, don't assume you can time network events down to the
nanosecond with the time stamps from libpcap/WinPcap unless it's on an OS that
supports hardware time stamping with a libpcap that can get those time stamps
from the OS (which I think means "Linux and FreeBSD") and with a network
adapter that supports hardware time stamping (I don't know if any 802.11
adapters do) and that has a driver for your OS that supports hardware time
stamping and the program doing the capture and the system doing the capture are
set up to do hardware time stamping.
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
