tcpdump mailing list archives

Re: libpcap 1.5.3 pcap_open_offline_with_tstamp_precision() broken

From: Michal Sekletar <msekleta () redhat com>
Date: Fri, 6 Jun 2014 12:24:19 +0200

On Thu, Jun 05, 2014 at 07:21:26PM +0200, Steffen Bauch wrote:

Hi,

libpcap 1.5.3 (as deployed in Ubuntu 14.04 LTS) (and current GIT
master head) will not output timestamps in a right way if pcapng
savefiles are used and timestamp conversion is requested with
pcap_open_offline_with_tstamp_precision(). For traditional pcap
files necessary timestamp conversion will work in a right way.

To reproduce this problem:

1. Capture a network trace with dumpcap as pcapng file

dumpcap -i eth0 -w timestamp_problem.pcapng

per default this capture will have microsecond timestamp resolution

2. Open the file with
pcap_open_offline_with_tstamp_precision(filename,
PCAP_TSTAMP_PRECISION_NANO, errbuf);

3. Retrieve frames with pcap_dispatch and a callback function and
print the content of the timevals (sec and usec).

All frames retrieved will have subsecond timestamps between 0 and
999, which is wrong.

4. Convert the file from pcapng to pcap

editcap timestamp_problem.pcapng timestamp_working.pcap -F pcap

5. Perform steps 2 and 3 for the pcap file and see correct subsecond
timestamps in nanosecond range 0 - 999999999

The reason for the problem is a wrong computation of the scaling
factor in pcap_ng_next_packet in sf-pcap-ng.c

Assume you have a file with microsecond resolution and request
nanosecond output. In this case you will be required to scale the
value up for representation purposes. But the code will perform the
following:

                frac *= ps->ifaces[interface_id].tsresol; /*
resolution of the interface: multiply with a small value: 1000000 */
                frac /= ps->user_tsresol; /* requested output
resolution, divide with a large value: 1000000000 */

This will lead to an overall downscaling of the fractional part, an
overall division by factor 1000 which doesn't seem to be right. In
my opinion the code should multiply with the output resolution and
divide by the interface resolution.

              frac *= ps->user_tsresol; /* requested output resolution, multiply
with a large value: 1000000000 */
                frac /= ps->ifaces[interface_id].tsresol; /*
resolution of the interface: divide with a small value: 1000000 */


Thanks for reporting this. I tested your patch and I can confirm it fixes the
issue. Can you please open pull request and submit your patch via github?


Best regards,

Steffen


Cheers,

Michal


-- 
Web: http://datenkobold.de Twitter: @steffenbauch
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Current thread:

libpcap 1.5.3 pcap_open_offline_with_tstamp_precision() broken Steffen Bauch (Jun 05)
- Re: libpcap 1.5.3 pcap_open_offline_with_tstamp_precision() broken Michal Sekletar (Jun 06)