Re: Raw socket performance

["Bryan Hoyt | Brush Technology" <bryan () brush co nz>]

Some very helpful info here, thanks, Guy. I appreciate the helpfulness on
this list!

Good to know about SIOCGSTAMP, thanks. I think that will be useful in the
future. Yes, my application uses gettimeofday()

I'm opening the socket with *socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));*

Like I said in my reply to Kowsik, the project's on hold for a bit, so I
won't get a chance to look into it further just now, but I'll follow up on
this when things move ahead.

 - Bryan
-- 
PS. Check out the Brush newsletter: *Subscribe or read our previous
newsletters* <http://brush.co.nz/articles>

Bryan Hoyt, *Web Development Manager*  --  Brush Technology
*Ph:* +64 3 942 7833     *Mobile:* +64 21 238 7955
*Web:* brush.co.nz
On Tue, Jun 29, 2010 at 12:11, Guy Harris <guy () alum mit edu> wrote:

> On Jun 28, 2010, at 4:49 PM, Bryan Hoyt | Brush Technology wrote:
>
> > I'm using Wireshark to capture data that I'm receiving via a raw
> > socket (on linux) in another process (let's call it 'P').
> >
> > I record the timestamp of each packet P receives,
>
> Where do you get that timestamp?
>
> > and compare that with wireshark's timestamp.
>
> Wireshark gets the timestamp from libpcap/WinPcap; on Linux, the libpcap
> code:
>
>        uses the SIOCGSTAMP ioctl on the socket to get the time stamp if
> it's not using the memory-mapped interface to the socket;
>
>        gets the time stamp from the record in the memory-mapped buffer if
> it is using the memory-mapped interface.
>
> If you're getting the time stamp with, for example, gettimeofday(), that
> will be the time stamp at the time you call gettimeofday(), not the time
> stamp at the time the Linux networking stack time-stamped the packet.  The
> time stamp from SIOCGSTAMP or from the memory-mapped buffer will be the time
> stamp at the time the Linux networking stack time-stamped the packet.
>
> > Wireshark *always* receives the data ~10-30us before P does.
>
> As per the above, Wireshark doesn't record the time when it receives the
> data; it records the time it was given, which is the time when the Linux
> networking stack time-stamped the packet.  This is probably after the packet
> was first handed to the networking stack, but before the networking stack
> handed it to the application - and if the application is time-stamping
> packets with gettimeofday(), it's probably doing so after the
> recv()/recvfrom()/recvmsg() call returns, so that's even after the
> networking stack handed the packet to the application.
>
> > But theoretically, they should both be on
> > equal footing, because wireshark captures the data in the same way as
> > P (via a raw socket).
>
> What sort of raw socket?  A PF_PACKET/SOCK_RAW socket?  Or some other
> SOCK_RAW socket, e.g. PF_INET/SOCK_RAW?  I don't have the Linux networking
> stack code in front of me, but it might hand packets to "taps" (PF_PACKET
> sockets, or maybe PF_PACKET sockets not bound to a particular protocol, I
> forget which) before it hands them to other sockets.
>
> That might introduce a time difference over and above any difference you'd
> see from, for example, getting time stamps in your application with
> gettimeofday().
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe