Hello,
I am looking for an advice of the best way to represent multiple timestamps for
a packet.
First, the context. As part of my work (network stack developer for
phone/computer manufacturer), I frequently find myself having to identify the
amount of time that packets had spent in the different layers of the network
stack. There are tools to capture packets at the different layers, and all can
produce output in pcap/pcapng format, if asked nicely.
For example, consider the following (vastly simplified) diagram of a kernel
network stack. One can use tcpdump as well as other tools to capture the packet
timing at the different layers:
+----------------------------+
| Transport protocols |
| |
+----------------------------+
^
|
v
+----------------------------+
| Inet layer | <- tcpdump -i iptap
| |
+----------------------------+
^
|
v
+----------------------------+
| Network interface layer | <- tcpdump -i any
| AQM and input queues | <- tcpdump -I pktap
+----------------------------+
^
|
v
+----------------------------+
| Cellular Modem Driver | <- proprietary trace tools specific
| | to the driver software, can produce
+----------------------------+ pcap output
^
|
v
+----------------------------+
| Cellular Modem Firmware | <- proprietary trace tools specific
| PDCP and similar queues | to the modem hardware, can produce
+----------------------------+ pcap output (NOTE: different time domain)
While the specifics of the tracing software that can produce pcap files from
the driver/firmware are proprietary (and I can not discuss those), the key
takeaway is that all can produce output in the pcap/pcapng format.
Once the capture has commenced, the engineer will have a set of pcap files. The
current practice is to export the cross-layer delay information into a Jupyter
notebook, and continue the analysis there.
Now, the question.
I would be much happier if I could do more of the analysis within Wireshark, so
that I could easily correlate, for example, excessive buffering in the driver
with the SACK holes.
It seems to me that in order to do that, the timing information from the
different pcap files (collected at different trace points) should be collated
into a single stream of packets, with every relevant packet having multiple
time stamps corresponding to the different stack layers.
I wonder whether it is possible to combine the different timing information
into a single pacapng file, so that the different delays could be embedded in a
single packet.
I was thinking about two approaches of embedding the timing information into
pcap files:
1. Introducing additional packet metadata to the extended headers.
2. Introducing a “pseudo” protocol to represent the different layers.
I tend to like the second approach better, but I wonder what the Wireshark
community can suggest?
Best regards,
- oesh
_______________________________________________
Wireshark-dev mailing list -- [email protected]
To unsubscribe send an email to [email protected]
