tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Printing nanosecond timestamp information in raw output

From: Guy Harris <guy () alum mit edu>
Date: Fri, 28 Dec 2012 14:59:46 -0800

On Dec 28, 2012, at 1:15 PM, Maik Jäkel <email () maikjaekel de> wrote:


for 2 days I'm now searching for the appropriate position to insert 5 lines of code:


Insert into tcpdump or insert into some other program?


I'm trying to print out a current timestamp with nanosecond accuracy between every printed packet.
I want to print packets in raw format / hex format and want to write down the exact time they were received. 


(Presumably, in English, you mean "*before* every printed packet"; if there are N printed packets, there are only N - 1 
places between every printed packet, so you can't time-stamp every packet by printing a time stamp between packets.)

tcpdump *already* prints the timestamp supplied by libpcap; unfortunately:

        1) it has microsecond resolution, not nanosecond resolution;

        2) it's not guaranteed to be the *exact* time - the time stamp might be assigned to the packet when it's first 
seen by the networking stack, which could be some time before the first or last bit of the packet arrives at the 
network adapter;

        3) even given point 2, it's closer to the exact time that the packet was received than any time you will get by 
making an operating system call to get the time, as it'll be even *longer* after the packet arrived than any time stamp 
you get from libpcap.

All of those would apply to any program using libpcap, not just to tcpdump.

If you really want nanosecond-resolution and accurate time stamps, you would either have to use your OS's packet 
capture mechanism directly, in your own program, rather than using libpcap, and do whatever's necessary to get 
nanosecond-resolution high-accuracy time stamps (which might mean you'd need a network adapter that supplies time 
stamps with nanosecond resolution, and you'd need OS support for that, which newer versions of the Linux kernel have 
and newer versions of FreeBSD might have), or libpcap would have to be modified to support that (recent versions have 
support for hardware time stamps in Linux and FreeBSD, if the hardware and OS support them, but they'd need to be 
extended to support requesting nanosecond-resolution time stamps).
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Previous By Date Next
Previous By Thread Next

Current thread: