Re: Monotonic clock timestamp on packets

[Guy Harris <guy () alum mit edu>]

On May 3, 2010, at 11:29 PM, Thomas Habets wrote:

> Has anyone looked into timestamping the captured packets using clock_gettime(CLOCK_MONOTONIC, ...)?
>
> I'm thinking adding a struct timespec to struct pcap_pkthdr

pcap_pkthdr is in a file.  You cannot add *ANYTHING* to it without breaking compatibility; you'd have to introduce a 
new magic number.

BTW, note that if you call clock_gettime(), there is *NO* guarantee that the time it returns has anything to do with 
the time the packe arrived; it tells you the time when it's called, not the time when the packet arrived.

> and filling that in addition to the struct timeval.
>
> For a request-reply situation a monotonic clock is much more reliable than gettimeofday().

The only platforms on which libpcap uses gettimeofday() are:

        DLPI platforms where the DLPI module doesn't supply the time stamp (e.g., HP-UX);

        DOS;

        Septel devices;

        USB capturing on Linux if you're not using the memory-mapped interface.

On all other platforms - i.e., on most of the platforms where libpcap is used - the time stamps are supplied to 
userland by the kernel, so if you want to use a different timer, you'll have to modify the kernel.  (*BSD, Mac OS X, 
Linux, Solaris, etc.)

> take a look at the code.

I did.  See above.

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.