tcpdump等使用libpcap抓包软件的时间戳来源
2010-11-03 14:27
411 查看
tcpdump从libpcap获取time-stamp,libpcap从OS内核获取time stamp
When is a packet time-stamped? How accurate are the time stamps?
Q: When is a packet time-stamped? How accurate are the time stamps?
Tcpdump gets time stamps from libpcap, and libpcap gets them from the OS
kernel,
so tcpdump - and any other program using libpcap, such as
Ethereal or snoop - is at the mercy of the time stamping code in the OS
for time stamps.
In most OSes on which tcpdump and libpcap run, the packet is time
stamped as part of the process of the network interface's device driver,
or the networking stack, handling it. This means that the packet is not
time stamped at the instant that it arrives at the network interface;
after the packet arrives at the network interface, there will be a delay
until an interrupt is delivered or the network interface is polled
(i.e., the network interface might not interrupt the host immediately -
the driver may be set up to poll the interface if network traffic is
heavy, to reduce the number of interrupts and process more packets per
interrupt), and there will be a further delay between the point at which
the interrupt starts being processed and the time stamp is generated.
On some OSes, such as HP-UX, the OS kernel does not time stamp the
packet at all; instead, it's time stamped by libpcap at the time it
reads the packet from the OS kernel, which means that there will be an
even greater delay between the time the packet arrives and the time that
it's time-stamped.
Thus, the packet time stamp is not necessarily a very accurate
indication of the time it arrived at the machine that captured the
packet.
时间戳分辨率只有100ms而不是1us
Q: I'm running tcpdump on Linux; why do my time stamps have
only 100ms resolution, rather than 1us resolution?
At least on x86-based machines, Linux can get high-resolution time
stamps on newer processors with the Time Stamp Counter (TSC) register;
for example, Intel x86 processors, starting with the Pentium Pro, and
including all x86 processors since then, have had a TSC, and other
vendors probably added the TSC at some point to their families of x86
processors.
The Linux kernel must be configured with the CONFIG_X86_TSC option
enabled in order to use the TSC. Make sure this option is enabled in
your kernel.
In addition, some Linux distributions may have bugs in their versions of
the kernel that cause packets not to be given high-resolution time
stamps even if the TSC is enabled. See, for example, bug 61111 for Red
Hat Linux 7.2. If your distribution has a bug such as this, you may
have to run a standard kernel from kernel.org in order to get
high-resolution time stamps.
When is a packet time-stamped? How accurate are the time stamps?
Q: When is a packet time-stamped? How accurate are the time stamps?Tcpdump gets time stamps from libpcap, and libpcap gets them from the OS
kernel,
so tcpdump - and any other program using libpcap, such as
Ethereal or snoop - is at the mercy of the time stamping code in the OS
for time stamps.
In most OSes on which tcpdump and libpcap run, the packet is time
stamped as part of the process of the network interface's device driver,
or the networking stack, handling it. This means that the packet is not
time stamped at the instant that it arrives at the network interface;
after the packet arrives at the network interface, there will be a delay
until an interrupt is delivered or the network interface is polled
(i.e., the network interface might not interrupt the host immediately -
the driver may be set up to poll the interface if network traffic is
heavy, to reduce the number of interrupts and process more packets per
interrupt), and there will be a further delay between the point at which
the interrupt starts being processed and the time stamp is generated.
On some OSes, such as HP-UX, the OS kernel does not time stamp the
packet at all; instead, it's time stamped by libpcap at the time it
reads the packet from the OS kernel, which means that there will be an
even greater delay between the time the packet arrives and the time that
it's time-stamped.
Thus, the packet time stamp is not necessarily a very accurate
indication of the time it arrived at the machine that captured the
packet.
Why do my time stamps on Linux have only 100ms resolution?
时间戳分辨率只有100ms而不是1us
Q: I'm running tcpdump on Linux; why do my time stamps haveonly 100ms resolution, rather than 1us resolution?
At least on x86-based machines, Linux can get high-resolution time
stamps on newer processors with the Time Stamp Counter (TSC) register;
for example, Intel x86 processors, starting with the Pentium Pro, and
including all x86 processors since then, have had a TSC, and other
vendors probably added the TSC at some point to their families of x86
processors.
The Linux kernel must be configured with the CONFIG_X86_TSC option
enabled in order to use the TSC. Make sure this option is enabled in
your kernel.
In addition, some Linux distributions may have bugs in their versions of
the kernel that cause packets not to be given high-resolution time
stamps even if the TSC is enabled. See, for example, bug 61111 for Red
Hat Linux 7.2. If your distribution has a bug such as this, you may
have to run a standard kernel from kernel.org in order to get
high-resolution time stamps.
相关文章推荐
- Tcpdump linux抓包软件详细使用
- 使用tcpdump对Android进行网络抓包
- 使用tcpdump和wireshark对android手机进行网络抓包分析
- linux下抓包命令--tcpdump的使用
- linux下抓包命令--tcpdump的使用
- tcpdump 抓包存文件使用tftp传输 wireshark 打开报错
- vc 限制软件的使用次数或时间
- 使用libpcap抓包编译错误
- 使用Automachron软件解决Windows时间同步功能不能正常使用问题
- Android下使用TCPDUMP抓包Wireshark分析数据
- linux下使用tcpdump抓包分析tcp的三次握手
- windows7操作系统下MiniSniffer抓包软件的使用
- Android下使用TCPDUMP抓包Wireshark分析数据啦
- 在MAC上安装软件,可能不是来自官方的软件,这时需要对来源进行选择,可以使用以下方式打开
- 使用tcpdump 对 android 进行抓包
- 安装好tcpdump和libpcap后不能抓包的问题!
- c#实现的破解程序--针对软件使用时间限制
- 在嵌入式设备上使用tcpdump抓包
- tcpdump抓包工具的使用