On Sun, Dec 02, 2001 at 11:34:02PM +0100, Pepa Flores wrote:
> First : Could you explain to me how do tcpdump and linux kernel work? It
> means, Can I know the time between the Ethernet card 'hears' the packet and
> the timestamp for this packet is printed?
Tcpdump uses libpcap to capture packets; the time stamp that tcpdump
prints is the one it gets from libpcap.
On Linux, libpcap gets the time stamp by doing a SIOCGSTAMP "ioctl" on
the PF_PACKET socket (or SOCK_PACKET/PF_INET, on 2.0[.x] kernels, but
we'll ignore those older kernels for now; I'll discuss the 2.4.9 kernel,
but I think 2.2[.x] and 2.4[.x] kernels all behave similarly here) from
which it's receiving packets. That "ioctl" returns the time stamp value
stored for the socket.
The time stamp for the socket is set by the inline function
"sock_recv_timestamp()"; it's set, on PF_PACKET sockets, by
"packet_recvmsg()", which is the kernel routine called for a "recvmsg()"
call on a PF_PACKET socket. It sets that time stamp to the time stamp
for the packet that's read with the "recvmsg()".
That time stamp, in turn, is set, for received packets, by the
"netif_rx()" routine, if no other routine has already set a time stamp.
"netif_rx()" is called by network device drivers to pass an incoming
network packet to the networking stack.
So the time between when the Ethernet card sees the packet and the
timestamp for the packet is printed can be divided into:
the time between when the Ethernet card sees the packet and the
time stamp for the packet is set
and
the time between when the time stamp for the packet is set and
the time stamp for the packet is printed.
You can't determine the first of those, because you can't determine, for
most (possibly all) Ethernet cards, when the card saw the packet:
the time stamp for the packet isn't set as soon as the packet is
seen by the Ethernet card (that could only happen if the
Ethernet card *itself* had a timer *and* put a time stamp into
the receive buffer; I don't know of any cards that do that, and
don't know of any Linux drivers that do that, but there could, I
guess, be one);
it's also not set as soon as the driver for the Ethernet card
sees the packet, unless there are drivers that set the time
stamp themselves rather than having "netif_rx()" do it (there
might be some, but a quick grep through the "drivers/net"
directory didn't show any drivers that directly set the "stamp"
field).
Tcpdump could, I guess, determine the second of them, by calling
"gettimeofday()" whenever it prints a time stamp - but "gettimeofday()"
could itself take a significant amount of time, if you're interested in
*very* high-precision timing.
But I'm not sure it matters - what you probably want is the time the
packet arrives and, although you can't get that *precise* time (for the
reasons listed above - unless you have a network card that can, itself,
supply a time stamp for packets *and* a driver that uses that time
stamp), you can, at least, get the time that "netif_rx()" sees the
packet.
> Second : Which one is better in ordet to get the maximum accuracy? The first
> instruction doesn't filter, but it writes more packets in the file.
>
> tcpdump -ttne -x -s 20 -w file
> tcpdump -ttne -x -s 20 udp -w file
The packet's time stamp is set before the packet is processed by the
filter, so the use of a packet filter shouldn't cause you to get less
accurate time stamps.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
