Re: timestample and accuracy

[Guy Harris <gharris () sonic net>]

On Fri, Jan 10, 2003 at 10:41:47AM -0600, Xinwen - Fu wrote:
> 1. tcpdump gives us the time stample of each packet. Who prints this
> timestamp? network card, network card driver or others?

Tcpdump prints it, in the sense of writing it as output to your display.

The timestamp is supplied to tcpdump by libpcap.

Libpcap, in turn, gets it from the OS.

How that time stamp is supplied by the OS depends on the OS.

I don't know of any case where it's supplied by the network interface,
although there might be one.  It is usually supplied either by the
network interface driver or by some other part of the OS kernel.

> 2. Is it possible that network cards (e.g., 3com)  buffer two or more
> packets, and then
> transfer the two packets at one time to OS by one network card
> hardware interrupt? Then two packets get the same time stample?

The time stamp will not, in any case, reflect, with very high accuracy,
the time at which the packet first arrives on the network interface. 
The time stamp is supplied after the host sees the packet and does some
processing on it, and that processing can take a variable amount of
time.

It is certainly possible that more than one packet could be processed
per interrupt.  In fact, some drivers might explicitly arrange that this
happen, so that the machine doesn't spend as much time processing
interrupts under heavy incoming network load.

The time stamps aren't necessarily going to be the *same*, in that case;
if the time stamps have sufficiently high resolution (for example, if
they use some high-resolution clock on the machine), the fact that one
is processed after the other might cause them to have different time
stamps.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe