tcpdump mailing list archives

Re: Fwd: Re: Printing nanosecond timestamp information in raw output

From: Guy Harris <guy () alum mit edu>
Date: Fri, 28 Dec 2012 15:53:17 -0800


On Dec 28, 2012, at 3:14 PM, Maik Jäkel <email () maikjaekel de> wrote:

My target environment is android with a 2.6.35.14-kernel.
I realize that the timestamp is taken "a long time" after the reception of the packet. I didn't know a better way, 
though and hoped that the execution time between the reception of the packet and taking the timestamp is relatively 
constant (with an uncertainty of 4ns or so).


If you want a timestamp, you need a real-time clock, not an execution-time clock, so what matters isn't the *execution* 
time, what matters is the *real* time, which is not guaranteed to be relatively constant.  If your process isn't 
competing with any other processes (including daemons as well as other applications) for any of the processor cores, or 
if the process is running with some form of real-time scheduling enabled so that the CPU will never be taken away from 
it by the scheduler, *maybe* the execution time and real time will be close to the same, but even that's not guaranteed 
unless all of the virtual memory the packet capture and printing code path is wired into main memory (so you don't take 
any page faults).

As this is Linux-specific, the easiest way to get nanosecond-resolution time stamps is *NOT* to simply modify tcpdump.  
I would suggest, instead, that you:

        modify *libpcap*, so that it returns nanosecond-resolution time stamps;

        modify tcpdump, so that it assumes that the tv_usec in the time stamps it gets from libpcap is in units of 
nanoseconds rather than microseconds;

        statically link your modified tcpdump with your modified libpcap and use that.

To modify libpcap, change

#ifdef HAVE_TPACKET2
                case TPACKET_V2:
                        tp_len     = h.h2->tp_len;
                        tp_mac     = h.h2->tp_mac;
                        tp_snaplen = h.h2->tp_snaplen;
                        tp_sec     = h.h2->tp_sec;
                        tp_usec    = h.h2->tp_nsec / 1000;
                        break;
#endif

in pcap-linux.c to

#ifdef HAVE_TPACKET2
                case TPACKET_V2:
                        tp_len     = h.h2->tp_len;
                        tp_mac     = h.h2->tp_mac;
                        tp_snaplen = h.h2->tp_snaplen;
                        tp_sec     = h.h2->tp_sec;
                        tp_usec    = h.h2->tp_nsec;
                        break;
#endif

A 2.6.35 kernel should support version 2 of the "turbopacket" memory-mapped Linux packet capture mechanism, i.e. 
TPACKET_V2, so it should be able to supply nanosecond-resolution time stamps, and that should be the mechanism used, by 
default, by libpcap.

Does the above mentioned kernel have the feature you mentioned?


It supports version 2 of the "turbopacket" memory-mapped Linux packet capture mechanism, which supplies 
nanosecond-resolution time stamps from the kernel, so it has that feature.

It also supports hardware time stamps *IF* the network adapter and driver support it.  I suspect the network adapters 
on Android devices don't, however, so you'll probably have to live with software timestamps.  If you're modifying the 
latest libpcap and tcpdump, those will have support for hardware timestamps, so you might try running tcpdump with the 
command-line option "-j adapter" - if that works, you get hardware time stamps, but, if it doesn't (i.e., if it 
complains that the timestamp type isn't supported), try not using "-j adapter".  You *might* be able to get better, but 
still software-based, timestamps with "-j host_hiprec", but those time stamps might be more expensive to fetch and 
aren't synchronized with the host clock.

What do I have to do print that timestamp together before the raw packet?


Modify tcpdump so that it assumes that timestamps are in the form of seconds and nanoseconds, and then just let it 
print the regular timestamp.  Do *not* attempt to get, or print, timestamps yourself.

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Current thread:

Fwd: Re: Printing nanosecond timestamp information in raw output Maik Jäkel (Dec 28)
- Re: Fwd: Re: Printing nanosecond timestamp information in raw output Guy Harris (Dec 28)
  - Re: Fwd: Re: Printing nanosecond timestamp information in raw output Guy Harris (Dec 28)
  - Re: Fwd: Re: Printing nanosecond timestamp information in raw output Maik Jäkel (Dec 29)
- Message not available
  - Re: Fwd: Re: Printing nanosecond timestamp information in raw output Maik Jäkel (Dec 29)