tcpdump mailing list archives
Re: Printing nanosecond timestamp information in raw output
From: Guy Harris <guy () alum mit edu>
Date: Fri, 28 Dec 2012 14:59:46 -0800
On Dec 28, 2012, at 1:15 PM, Maik Jäkel <email () maikjaekel de> wrote:
for 2 days I'm now searching for the appropriate position to insert 5 lines of code:
Insert into tcpdump or insert into some other program?
I'm trying to print out a current timestamp with nanosecond accuracy between every printed packet. I want to print packets in raw format / hex format and want to write down the exact time they were received.
(Presumably, in English, you mean "*before* every printed packet"; if there are N printed packets, there are only N - 1 places between every printed packet, so you can't time-stamp every packet by printing a time stamp between packets.) tcpdump *already* prints the timestamp supplied by libpcap; unfortunately: 1) it has microsecond resolution, not nanosecond resolution; 2) it's not guaranteed to be the *exact* time - the time stamp might be assigned to the packet when it's first seen by the networking stack, which could be some time before the first or last bit of the packet arrives at the network adapter; 3) even given point 2, it's closer to the exact time that the packet was received than any time you will get by making an operating system call to get the time, as it'll be even *longer* after the packet arrived than any time stamp you get from libpcap. All of those would apply to any program using libpcap, not just to tcpdump. If you really want nanosecond-resolution and accurate time stamps, you would either have to use your OS's packet capture mechanism directly, in your own program, rather than using libpcap, and do whatever's necessary to get nanosecond-resolution high-accuracy time stamps (which might mean you'd need a network adapter that supplies time stamps with nanosecond resolution, and you'd need OS support for that, which newer versions of the Linux kernel have and newer versions of FreeBSD might have), or libpcap would have to be modified to support that (recent versions have support for hardware time stamps in Linux and FreeBSD, if the hardware and OS support them, but they'd need to be extended to support requesting nanosecond-resolution time stamps). _______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- Printing nanosecond timestamp information in raw output Maik Jäkel (Dec 28)
- Re: Printing nanosecond timestamp information in raw output Guy Harris (Dec 28)