2009/2/27 Guy Harris <g...@alum.mit.edu> > > On Feb 26, 2009, at 5:22 PM, Guy Harris wrote: > > The *accuracy* is limited by the fact that most network adapters aren't >> designed primarily for use when capturing traffic, so they don't do their >> own packet timestamping, and libpcap normally just plugs into the OS's >> built-in facilities for capturing packets, and those either use the OS's >> networking stack, which is designed primarily for regular network traffic >> rather than traffic capture and might sacrifice low latency for higher >> throughput (thus adding delays that get in the way of time stamping), and >> which plugs into device drivers *also* designed primarily for regular >> network traffic rather than traffic capture, or use something such as BPF >> that might bypass the networking stack but *doesn't* bypass the driver. >> > > Although it *appears* that, with current versions of the Linux kernel, the > driver *could* timestamp the packet (setting the time in the skbuff) and > netif_rx() won't timestamp it itself: > > int netif_rx(struct sk_buff *skb) > { > struct softnet_data *queue; > unsigned long flags; > > /* if netpoll wants it, pretend we never saw it */ > if (netpoll_rx(skb)) > return NET_RX_DROP; > > if (!skb->tstamp.tv64) > net_timestamp(skb); > > ... > > so that if the network adapter provided a time stamp along with the packet > data, the driver would set the time stamp for the skbuff before handing it > to the networking stack. > > Similarly, with variants of the bpf_tap() and bpf_mtap() kernel APIs that > take a time stamp as an argument, the BPF mechanisms in *BSD could let the > driver supply a time stamp when it hands a packet to BPF. > > That would let you have a regular network adapter that time-stamps packets > itself, so you could get accurate time stamps on incoming packets and still > have the adapter usable as a regular network adapter as well as an adapter > for capturing traffic. You still wouldn't get accurate time stamps on > *outgoing* packets, if by "accurate" you mean "gives the time at which the > packet was put onto the network".
Thank you for your informations, I apologize for melting precision and accuracy, you understood my mistake. I worked on old Linux Kernel versions so I will try the latest ones to see hardware timestamping. So now I have to search for Network cards which can timestamp the packets with nanosecond resolution (Endace DAG cards can apparently do that) and then modify a bit libPcap to take advantage of the nanosecond timestamping (nanosecond timestamp MagicNumber etc.). - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.