Wireshark mailing list archives

Re: Raw socket performance

From: Guy Harris <guy () alum mit edu>
Date: Mon, 28 Jun 2010 17:11:05 -0700


On Jun 28, 2010, at 4:49 PM, Bryan Hoyt | Brush Technology wrote:

I'm using Wireshark to capture data that I'm receiving via a raw
socket (on linux) in another process (let's call it 'P').

I record the timestamp of each packet P receives,


Where do you get that timestamp?

and compare that with wireshark's timestamp.


Wireshark gets the timestamp from libpcap/WinPcap; on Linux, the libpcap code:

        uses the SIOCGSTAMP ioctl on the socket to get the time stamp if it's not using the memory-mapped interface to 
the socket;

        gets the time stamp from the record in the memory-mapped buffer if it is using the memory-mapped interface.

If you're getting the time stamp with, for example, gettimeofday(), that will be the time stamp at the time you call 
gettimeofday(), not the time stamp at the time the Linux networking stack time-stamped the packet.  The time stamp from 
SIOCGSTAMP or from the memory-mapped buffer will be the time stamp at the time the Linux networking stack time-stamped 
the packet.

Wireshark *always* receives the data ~10-30us before P does.


As per the above, Wireshark doesn't record the time when it receives the data; it records the time it was given, which 
is the time when the Linux networking stack time-stamped the packet.  This is probably after the packet was first 
handed to the networking stack, but before the networking stack handed it to the application - and if the application 
is time-stamping packets with gettimeofday(), it's probably doing so after the recv()/recvfrom()/recvmsg() call 
returns, so that's even after the networking stack handed the packet to the application.

But theoretically, they should both be on
equal footing, because wireshark captures the data in the same way as
P (via a raw socket).


What sort of raw socket?  A PF_PACKET/SOCK_RAW socket?  Or some other SOCK_RAW socket, e.g. PF_INET/SOCK_RAW?  I don't 
have the Linux networking stack code in front of me, but it might hand packets to "taps" (PF_PACKET sockets, or maybe 
PF_PACKET sockets not bound to a particular protocol, I forget which) before it hands them to other sockets.

That might introduce a time difference over and above any difference you'd see from, for example, getting time stamps 
in your application with gettimeofday().
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Raw socket performance Bryan Hoyt | Brush Technology (Jun 28)
- Re: Raw socket performance kowsik (Jun 28)
- Re: Raw socket performance Guy Harris (Jun 28)