tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: tcpdump and timestamps

From: Guy Harris <guy () alum mit edu>
Date: Tue, 9 Nov 2010 01:39:36 -0800

On Nov 9, 2010, at 1:15 AM, Andrej van der Zee wrote:


Today I received a tcpdump file from a client with timestamps that did
not correspond to the system clock. If I remember correctly, tcpdump
does not store complete timestamps but only a delta compared to the
first timestamp.


No.  Each packet in a pcap file has a full timestamp, represented as a pair of {seconds since January 1, 1970, 00:00:00 
GMT, microseconds since the beginning of that second}:

        
http://www.FreeBSD.org/cgi/man.cgi?query=pcap-savefile&apropos=0&sektion=0&manpath=FreeBSD+8.1-RELEASE&format=html


I guess tcpdump does not read the system clock every
time, but has its own mechanisms. My question is, how does tcpdump
calculate its timestamps?


Tcpdump uses libpcap to capture network traffic (as do several other applications).  The way the packet time stamps are 
obtained by libpcap depends on the capture mechanism libpcap uses:

        in systems with BPF, such as *BSD, Mac OS X, and AIX, BPF supplies time stamps - typically, each packet is time 
stamped by reading the system clock when it's processed by BPF;

        in Linux systems, the time stamps come from the PF_PACKET socket from which libpcap reads - typically, each 
packet is time stamped by reading the system clock when it's processed by the networking stack;

        in Solaris systems, the time stamps come from the DLPI stream from which libpcap reads - typically, each packet 
is time stamped by reading the system clock when it's processed by the bufmod code;

        in other UN*X systems, it depends on the mechanism the particular UN*X uses, but it probably involves reading 
the system clock.

WinDump, the Windows port of tcpdump, uses WinPcap, the Windows port of libpcap.  The time stamps come from the WinPcap 
driver, which might, depending on how it's configured, read the system clock for each packet, or might read it when it 
starts and, for each packet, add a value from the performance counter to it.  In the latter case, the time stamps might 
drift from the system clock value.

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: