Re: timestamp

[Guy Harris <gharris () sonic net>]

On Sat, Oct 19, 2002 at 11:34:24AM +0200, Curro wrote:
> I have a question and, maybe, someone could help me.
> The manual of tcpdump says that:'The  timestamp reflects  the  time  the
> kernel first saw the packet'
>
> Well, I would like to know when the kernel first saw the packet. It means,
> the interrupt of a 'new packet' is sent at kernel when the NIC sees the
> first bit of a new packet or when the NIC sees the last bit (totally
> transfered).

I suspect that, for most if not all network cards, the interrupt occurs
when the packet is totally transferred.

Note also that the statement in the manual page isn't entirely accurate:

        the kernel doesn't necessarily time-stamp the packet as soon as
        it gets the interrupt - there may be a few instructions required
        to call the interrupt handler, and the time stamping might not occur
        until the driver calls a "network input" routine or, on Solaris,
        until the packet gets processed by the "bufmod" STREAMS module;

        on some platforms (HP-UX, for example), the kernel doesn't time
        stamp the packets at all, so the time stamp is the time the
        packet is received by the userland code.

So if you really want a time stamp that extremely precisely reflects the
time when the packet's first bit arrives at the machine running tcpdump
(or some other libpcap-based application), you're out of luck - and the
same is even true if you want a time stamp that extremely precisely
reflects the time when the packet's *last* bit arrives.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe