ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-users: Re: [Wireshark-users] Raw socket performance

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 28 Jun 2010 17:11:05 -0700
On Jun 28, 2010, at 4:49 PM, Bryan Hoyt | Brush Technology wrote:

> I'm using Wireshark to capture data that I'm receiving via a raw
> socket (on linux) in another process (let's call it 'P').
> 
> I record the timestamp of each packet P receives,

Where do you get that timestamp?

> and compare that with wireshark's timestamp.

Wireshark gets the timestamp from libpcap/WinPcap; on Linux, the libpcap code:

	uses the SIOCGSTAMP ioctl on the socket to get the time stamp if it's not using the memory-mapped interface to the socket;

	gets the time stamp from the record in the memory-mapped buffer if it is using the memory-mapped interface.

If you're getting the time stamp with, for example, gettimeofday(), that will be the time stamp at the time you call gettimeofday(), not the time stamp at the time the Linux networking stack time-stamped the packet.  The time stamp from SIOCGSTAMP or from the memory-mapped buffer will be the time stamp at the time the Linux networking stack time-stamped the packet.

> Wireshark *always* receives the data ~10-30us before P does.

As per the above, Wireshark doesn't record the time when it receives the data; it records the time it was given, which is the time when the Linux networking stack time-stamped the packet.  This is probably after the packet was first handed to the networking stack, but before the networking stack handed it to the application - and if the application is time-stamping packets with gettimeofday(), it's probably doing so after the recv()/recvfrom()/recvmsg() call returns, so that's even after the networking stack handed the packet to the application.

> But theoretically, they should both be on
> equal footing, because wireshark captures the data in the same way as
> P (via a raw socket).

What sort of raw socket?  A PF_PACKET/SOCK_RAW socket?  Or some other SOCK_RAW socket, e.g. PF_INET/SOCK_RAW?  I don't have the Linux networking stack code in front of me, but it might hand packets to "taps" (PF_PACKET sockets, or maybe PF_PACKET sockets not bound to a particular protocol, I forget which) before it hands them to other sockets.

That might introduce a time difference over and above any difference you'd see from, for example, getting time stamps in your application with gettimeofday().
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube