trusty (7) pcap-tstamp.7.gz

Provided by: libpcap0.8-dev_1.5.3-2_amd64 bug

NAME
       pcap-tstamp - packet time stamps in libpcap


DESCRIPTION
       When capturing traffic, each packet is given a time stamp representing, for incoming packets, the arrival
       time of the packet and, for outgoing packets, the transmission time of  the  packet.   This  time  is  an
       approximation  of the arrival or transmission time.  If it is supplied by the operating system running on
       the host on which the capture is being done, there  are  several  reasons  why  it  might  not  precisely
       represent the arrival or transmission time:

              if  the  time  stamp  is  applied to the packet when the networking stack receives the packet, the
              networking stack might not see the packet until an interrupt is delivered  for  the  packet  or  a
              timer  event causes the networking device driver to poll for packets, and the time stamp might not
              be applied until the packet has had some processing done by other code in the networking stack, so
              there might be a significant delay between the time when the last bit of the packet is received by
              the capture device and when the networking stack time-stamps the packet;

              the timer used to generate the time stamps might have low resolution, for example, it might  be  a
              timer  updated  once  per  host  operating system timer tick, with the host operating system timer
              ticking once every few milliseconds;

              a high-resolution timer might use a counter that runs at a rate dependent on the  processor  clock
              speed,  and  that clock speed might be adjusted upwards or downwards over time and the timer might
              not be able to compensate for all those adjustments;

              the host operating system's clock might be adjusted over time to match a time  standard  to  which
              the host is being synchronized, which might be done by temporarily slowing down or speeding up the
              clock or by making a single adjustment;

              different CPU cores on a multi-core or  multi-processor  system  might  be  running  at  different
              speeds,  or  might  not  have time counters all synchronized, so packets time-stamped by different
              cores might not have consistent time stamps.

       In addition, packets time-stamped by different cores might be time-stamped in one order and added to  the
       queue  of  packets  for  libpcap  to  read  in  another  order, so time stamps might not be monotonically
       increasing.

       Some capture devices on some platforms can provide time stamps for packets; those time stamps are usually
       high-resolution  time  stamps,  and  are  usually applied to the packet when the first or last bit of the
       packet arrives, and are thus more accurate than time stamps provided by the host operating system.  Those
       time  stamps  might  not,  however,  be synchronized with the host operating system's clock, so that, for
       example, the time stamp of a packet might not correspond to the time  stamp  of  an  event  on  the  host
       triggered by the arrival of that packet.

       Depending on the capture device and the software on the host, libpcap might allow different types of time
       stamp to be used.  The pcap_list_tstamp_types(3PCAP)  routine  provides,  for  a  packet  capture  handle
       created  by  pcap_create(3PCAP) but not yet activated by pcap_activate(3PCAP), a list of time stamp types
       supported by the capture device for that handle.  The list might be empty, in which  case  no  choice  of
       time   stamp   type   is   offered   for   that   capture   device.   If  the  list  is  not  empty,  the
       pcap_set_tstamp_type(3PCAP) routine can be used after a pcap_create() call and before  a  pcap_activate()
       call  to  specify the type of time stamp to be used on the device.  The time stamp types are listed here;
       the  first  value  is  the  #define  to  use  in  code,  the  second  value  is  the  value  returned  by
       pcap_tstamp_type_val_to_name() and accepted by pcap_tstamp_name_to_val().

            PCAP_TSTAMP_HOST - host
                 Time stamp provided by the host on which the capture is being done.  The precision of this time
                 stamp is unspecified; it might or might not be synchronized with the  host  operating  system's
                 clock.

            PCAP_TSTAMP_HOST_LOWPREC - host_lowprec
                 Time  stamp  provided  by the host on which the capture is being done.  This is a low-precision
                 time stamp, synchronized with the host operating system's clock.

            PCAP_TSTAMP_HOST_HIPREC - host_hiprec
                 Time stamp provided by the host on which the capture is being done.  This is  a  high-precision
                 time  stamp;  it might or might not be synchronized with the host operating system's clock.  It
                 might be more expensive to fetch than PCAP_TSTAMP_HOST_LOWPREC.

            PCAP_TSTAMP_ADAPTER - adapter
                 Time stamp provided by the network adapter on which the capture is being done.  This is a high-
                 precision time stamp, synchronized with the host operating system's clock.

            PCAP_TSTAMP_ADAPTER_UNSYNCED - adapter_unsynced
                 Time stamp provided by the network adapter on which the capture is being done.  This is a high-
                 precision time stamp; it is not synchronized with the host operating system's clock.


SEE ALSO
       pcap_set_tstamp_type(3PCAP),     pcap_list_tstamp_types(3PCAP),      pcap_tstamp_type_val_to_name(3PCAP),
       pcap_tstamp_name_to_val(3PCAP)

                                                 22 August 2010                                   PCAP-TSTAMP(7)