tcpdump mailing list archives
Re: timestamp in Packet Data
From: "Mcmillan, Scott A" <scott.a.mcmillan () intel com>
Date: Mon, 11 Jul 2011 10:32:58 -0700
There are many factors that make the timestamps an approximation. In addition to the ones already mentioned, the timestamps is typically taken several kernel layers higher than the driver. You can avoid these approximations on Linux by using tcpdump -j / -J with a NIC that is capable of hardware timestamping (plug: such as the Intel 82580 NIC). The -j / -J options are only available in the git repository. Scott -----Original Message----- From: tcpdump-workers-owner () lists tcpdump org [mailto:tcpdump-workers-owner () lists tcpdump org] On Behalf Of Sanjay Sundaresan Sent: Saturday, July 09, 2011 7:59 PM To: tcpdump-workers () lists tcpdump org Subject: Re: [tcpdump-workers] timestamp in Packet Data Is the approximation because of the fact that NIC card generarates interrupt only after some number of packets arrive ?. Does device polling affect time stamp ? At what stage of capture time stamping is done ? On Sat, Jul 9, 2011 at 6:59 PM, Alokat <mailing () alokat org> wrote:
On 07/09/11 21:56, Guy Harris wrote:On Jul 9, 2011, at 4:41 PM, Alokat wrote:I'm wondering what is in the pcap_data (pcap file format) and what isnot?Especially the timestamp ... is it just in the packet_header or in the packet_data too?A pcap file starts with a header. Following the header are zero or morepacket records. A packet record has a header, which includes the packet time stamp, followed by packet data, which is just the raw data as supplied to libpcap/WinPcap by whatever mechanism it uses. That mechanism supplies the packet time stamp for inclusion in the header, so there is no reason to expect that it will also be in the packet data, especially given that no link layers would include that time stamp (it's not in an Ethernet header, for example), so the time stamp is just in the packet header, not the packet data.The time stamp is an approximation of the time when the packet wasreceived by the machine that captured it.-This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.Okay, Thanks for your answer ... Regards, alokat - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- timestamp in Packet Data Alokat (Jul 09)
- Re: timestamp in Packet Data Guy Harris (Jul 09)
- Re: timestamp in Packet Data Alokat (Jul 09)
- Re: timestamp in Packet Data Sanjay Sundaresan (Jul 10)
- Re: timestamp in Packet Data Sanjay Sundaresan (Jul 09)
- Re: timestamp in Packet Data Guy Harris (Jul 09)
- Re: timestamp in Packet Data Mcmillan, Scott A (Jul 11)
- Re: timestamp in Packet Data Alokat (Jul 09)
- Re: timestamp in Packet Data Guy Harris (Jul 09)