Hi, We are working on a project where we need to know precise details about the generation of the timestamp when capturing with tcpdump. We've struggled a bit to find the information we need, but trawling around the web we have pulled together what we think are the correct details - see https://community.tribelab.com/mod/page/view.php?id=647 Is the detail on this page correct? Thanks and regards...Paul asked 29 Mar '17, 00:02 PaulOfford |
3 Answers:
There's the Wireshark Wiki Timestamps page. There's a tcpdump FAQ: When is a packet time-stamped? How accurate are the time stamps?. For WinPcap\npcap I believe the packet is timestamped by the npf driver on receipt of the callback from the NIC driver handing off a buffer of data, so this is in the npf kernel driver. The timestamp itself is derived from several sources depending on whether the system is x86 or x64 and the timestamp mode. For info about the mode see this email. answered 29 Mar '17, 15:09 grahamb ♦ |
No. The time stamping is, in most OSes supported by libpcap, done in the kernel. The only exception is HP-UX. However, that doesn't mean that the time stamping is done the instant the packet arrives on the adapter. There can be a delay between the point at which the first octet of the packet arrives and the point at which the last octet of the packet arrives, and a delay between the point at which the last octet of the packet is given to the host and the point at which the host is notified of the packet's arrival (by an interrupt, or by the host doing polling), and a delay between the point at which the host is notified of the packet's arrival and the point at which the host networking stack time-stamps the packet. As Anders noted, newer versions of libpcap support hardware time stamping; that's supported only on Linux, with newer versions of the Linux kernel, and with adapters that support it. Note, however, that those time stamps might not be synchronized with the host's clock, and might be based on Precision Time Protocol time stamps, which are based on International Atomic Time and might have, as their time origin, January 1, 1970, 00:00:00 TAI, rather than the UN*X origin of January 1, 1970, 00:00:00 UTC, and thus might be a few seconds different from UN*X time. answered 29 Mar '17, 20:11 Guy Harris ♦♦ edited 29 Mar '17, 20:17 |
I think newer libcap offers HW timestamps, not sure how well it works. http://www.tcpdump.org/manpages/pcap-tstamp.7.html answered 29 Mar '17, 03:23 Anders ♦ |
Thanks Anders. I think that answers my questions.
Could someone change Anders comment to and answer and I'll mark it as accepted?