Re: enquire about the tcpdump

[Guy Harris <guy () alum mit edu>]

On Sep 29, 2009, at 1:15 AM, Shangbo Wang wrote:

> I downloaded the tcpdump from your website. I want to enquire that the
> tcpdump can extract the timestamp in nanoseconds.

Tcpdump captures network traffic, and reads savefiles containing  
captured network traffic, using libpcap.  Libpcap does *NOT* support  
nanosecond-resolution time stamps, so tcpdump cannot capture traffic  
with nanosecond-resolution time stamps or print time stamps with  
nanosecond resolution.

In addition, even if libpcap's programming interface supported  
nanosecond-resolution time stamps, that doesn't mean that, for any  
particular operating system, the mechanism in the operating system  
used by libpcap to do traffic capture supports them - for example:

	on *BSD and Mac OS X, the BPF mechanism use to capture traffic  
provides only microsecond-resolution time stamps;

	on Linux, older versions of the kernel don't support nanosecond- 
resolution time stamps.

Note also that nanosecond resolution can be misleading - the time  
stamp of a packet is not necessarily a record of the time at which a  
packet arrived at the network adapter; it's a record of the time when  
the packet was seen by the code that time-stamps packets, and there  
could be a significant delay between those two times.  In addition,  
packets might be processed in batches, because the network adapter's  
driver might, for example, use polling rather than interrupts (if  
there's an interrupt for every packet, the system might have to spend  
most of its time processing interrupts, leaving less time to actually  
process the network traffic), so the delay between the two times could  
be different for different packets.

If you really need precise and accurate nanosecond time stamps, you  
might have to use specialized hardware to capture the network traffic.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.