Fwd: Re: Printing nanosecond timestamp information in raw output

[Maik Jäkel <email () maikjaekel de>]

Sorry, I forgot to reply to the mailing list. My answer to Guy Harris is attached.


-------- Original-Nachricht --------
Von: "Maik Jäkel" <email () maikjaekel de>
Gesendet: Sat Dec 29 00:12:03 MEZ 2012
An: Guy Harris <guy () alum mit edu>
Betreff: Re: [tcpdump-workers] Printing nanosecond timestamp information in raw output

Thanks for your quick and detailed answer!
Yes, of course I mean to print a timestamp before printing out every packet. 
My target environment is android with a 2.6.35.14-kernel.
I realize that the timestamp is taken "a long time" after the reception of the packet. I didn't know a better way, 
though and hoped that the execution time between the reception of the packet and taking the timestamp is relatively 
constant (with an uncertainty of 4ns or so).

Does the above mentioned kernel have the feature you mentioned? What do I have to do print that timestamp together 
before the raw packet?

If it doesn't work: Which function in which c-file is being called to print the raw packet? I have really been 
searching a lot through the code but have not managed to insert the timestamp output into the right one.

Thanks a lot in advance, again!



Guy Harris <guy () alum mit edu> wrote:

> On Dec 28, 2012, at 1:15 PM, Maik Jäkel <email () maikjaekel de> wrote:
>
> > for 2 days I'm now searching for the appropriate position to insert 5
> lines of code:
>
> Insert into tcpdump or insert into some other program?
>
> > I'm trying to print out a current timestamp with nanosecond accuracy
> between every printed packet.
> > I want to print packets in raw format / hex format and want to write
> down the exact time they were received. 
>
> (Presumably, in English, you mean "*before* every printed packet"; if
> there are N printed packets, there are only N - 1 places between every
> printed packet, so you can't time-stamp every packet by printing a time
> stamp between packets.)
>
> tcpdump *already* prints the timestamp supplied by libpcap;
> unfortunately:
>
>       1) it has microsecond resolution, not nanosecond resolution;
>
>       2) it's not guaranteed to be the *exact* time - the time stamp might
> be assigned to the packet when it's first seen by the networking stack,
> which could be some time before the first or last bit of the packet
> arrives at the network adapter;
>
>       3) even given point 2, it's closer to the exact time that the packet
> was received than any time you will get by making an operating system
> call to get the time, as it'll be even *longer* after the packet
> arrived than any time stamp you get from libpcap.
>
> All of those would apply to any program using libpcap, not just to
> tcpdump.
>
> If you really want nanosecond-resolution and accurate time stamps, you
> would either have to use your OS's packet capture mechanism directly,
> in your own program, rather than using libpcap, and do whatever's
> necessary to get nanosecond-resolution high-accuracy time stamps (which
> might mean you'd need a network adapter that supplies time stamps with
> nanosecond resolution, and you'd need OS support for that, which newer
> versions of the Linux kernel have and newer versions of FreeBSD might
> have), or libpcap would have to be modified to support that (recent
> versions have support for hardware time stamps in Linux and FreeBSD, if
> the hardware and OS support them, but they'd need to be extended to
> support requesting nanosecond-resolution time stamps).

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers