Some very helpful info here, thanks, Guy. I appreciate the helpfulness on this list!
Good to know about SIOCGSTAMP, thanks. I think that will be useful in the future. Yes, my application uses gettimeofday()
I'm opening the socket with socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
Like I said in my reply to Kowsik, the project's on hold for a bit, so I won't get a chance to look into it further just now, but I'll follow up on this when things move ahead.
- Bryan
On Tue, Jun 29, 2010 at 12:11, Guy Harris
<guy@xxxxxxxxxxxx> wrote:
On Jun 28, 2010, at 4:49 PM, Bryan Hoyt | Brush Technology wrote:
> I'm using Wireshark to capture data that I'm receiving via a raw
> socket (on linux) in another process (let's call it 'P').
>
> I record the timestamp of each packet P receives,
Where do you get that timestamp?
> and compare that with wireshark's timestamp.
Wireshark gets the timestamp from libpcap/WinPcap; on Linux, the libpcap code:
uses the SIOCGSTAMP ioctl on the socket to get the time stamp if it's not using the memory-mapped interface to the socket;
gets the time stamp from the record in the memory-mapped buffer if it is using the memory-mapped interface.
If you're getting the time stamp with, for example, gettimeofday(), that will be the time stamp at the time you call gettimeofday(), not the time stamp at the time the Linux networking stack time-stamped the packet. The time stamp from SIOCGSTAMP or from the memory-mapped buffer will be the time stamp at the time the Linux networking stack time-stamped the packet.
> Wireshark *always* receives the data ~10-30us before P does.
As per the above, Wireshark doesn't record the time when it receives the data; it records the time it was given, which is the time when the Linux networking stack time-stamped the packet. This is probably after the packet was first handed to the networking stack, but before the networking stack handed it to the application - and if the application is time-stamping packets with gettimeofday(), it's probably doing so after the recv()/recvfrom()/recvmsg() call returns, so that's even after the networking stack handed the packet to the application.
> But theoretically, they should both be on
> equal footing, because wireshark captures the data in the same way as
> P (via a raw socket).
What sort of raw socket? A PF_PACKET/SOCK_RAW socket? Or some other SOCK_RAW socket, e.g. PF_INET/SOCK_RAW? I don't have the Linux networking stack code in front of me, but it might hand packets to "taps" (PF_PACKET sockets, or maybe PF_PACKET sockets not bound to a particular protocol, I forget which) before it hands them to other sockets.
That might introduce a time difference over and above any difference you'd see from, for example, getting time stamps in your application with gettimeofday().
