On Feb 26, 2009, at 5:22 PM, Guy Harris wrote:
The *accuracy* is limited by the fact that most network adapters
aren't designed primarily for use when capturing traffic, so they
don't do their own packet timestamping, and libpcap normally just
plugs into the OS's built-in facilities for capturing packets, and
those either use the OS's networking stack, which is designed
primarily for regular network traffic rather than traffic capture
and might sacrifice low latency for higher throughput (thus adding
delays that get in the way of time stamping), and which plugs into
device drivers *also* designed primarily for regular network traffic
rather than traffic capture, or use something such as BPF that might
bypass the networking stack but *doesn't* bypass the driver.
Although it *appears* that, with current versions of the Linux kernel,
the driver *could* timestamp the packet (setting the time in the
skbuff) and netif_rx() won't timestamp it itself:
int netif_rx(struct sk_buff *skb)
{
struct softnet_data *queue;
unsigned long flags;
/* if netpoll wants it, pretend we never saw it */
if (netpoll_rx(skb))
return NET_RX_DROP;
if (!skb->tstamp.tv64)
net_timestamp(skb);
...
so that if the network adapter provided a time stamp along with the
packet data, the driver would set the time stamp for the skbuff before
handing it to the networking stack.
Similarly, with variants of the bpf_tap() and bpf_mtap() kernel APIs
that take a time stamp as an argument, the BPF mechanisms in *BSD
could let the driver supply a time stamp when it hands a packet to BPF.
That would let you have a regular network adapter that time-stamps
packets itself, so you could get accurate time stamps on incoming
packets and still have the adapter usable as a regular network adapter
as well as an adapter for capturing traffic. You still wouldn't get
accurate time stamps on *outgoing* packets, if by "accurate" you mean
"gives the time at which the packet was put onto the network".
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.