<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<STYLE>.hmmessage P {
PADDING-RIGHT: 0px; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-TOP: 0px
}
BODY.hmmessage {
FONT-SIZE: 10pt; FONT-FAMILY: Tahoma
}
</STYLE>
<META content="MSHTML 6.00.6000.16544" name=GENERATOR></HEAD>
<BODY class=hmmessage bgColor=#ffffff>
<DIV><FONT face="Courier New"></FONT> </DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=claudio.raiti@hotmail.it
href="mailto:claudio.raiti@hotmail.it">Claudio Raiti</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=winpcap-users@winpcap.org
href="mailto:winpcap-users@winpcap.org">Winpcap Users</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Tuesday, December 11, 2007 8:18
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> [Winpcap-users] Timestamp
utility</DIV>
<DIV><BR></DIV>
<DIV>Hi Gianluca,<BR>thanks for your answer.<BR> <BR>But, at this point,
i have a doubt: What is the utility of pcap timestamps if these ones are so
far to be precise?<BR></DIV></BLOCKQUOTE>
<DIV><FONT face="Courier New">This is how it works with all the software-only
solutions. This is how the original BSD packet capture system
(BPF+libpcap) worked. Timestamps are generated as soon as the OS is able to
process the packets. Which means later than the actual reception
time in the hardware. Utility? They are an estimate of when the
packets got received. How good? I cannot quantify that (and neither any other
software-only solution on linux/bsd/... can). They are good when computing
bandwidth and similar things. They are good enough to be used by all the
applications like snort, nmap and ntop. As you've already seen, they
are not good in some other cases e.g. if you want to validate the inter
packet arrival with microsecond precision. For that, you need a solution with
hardware-based timestamps. Being it linux with some particular wireless cards,
putting the card in monitor mode, and hoping that the wifi card returns hardware
timestamps, or something else like AirPcap.</FONT></DIV><FONT
face="Courier New"></FONT>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>I didn't know the interrupt mitigation you told me in my first message,
so i chose to use pcap library believing that that library could give me
good timestamps. Now you let me know that mitigation, so i think my doubt is
<BR></DIV>
<DIV id=result_box dir=ltr>justified.</DIV>
<DIV dir=ltr> </DIV></BLOCKQUOTE>
<DIV><FONT face="Courier New">As i said, off-the-shelf network cards are usually
not designed with packet capture in mind (i mean, related to generation of
timestamps). </FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV dir=ltr><FONT face="Courier New"></FONT> </DIV>
<DIV dir=ltr>Is there a limit of precision i could use in my experiments or is
all dependant on my hardware?</DIV>
<DIV dir=ltr> </DIV></BLOCKQUOTE>
<DIV><FONT face="Courier New">Unfortunately, there is no guaranteed upper limit.
It depends on a number of factors, including the hardware, the NIC driver, and
the mere fact that you are working on a non-realtime OS (being it windows or a
standard unix flavor). In the end, one of the main factors for the jitter
in the timestamps is probably interrupt mitigation. </FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV dir=ltr><FONT face="Courier New"></FONT> </DIV>
<DIV dir=ltr>Another thing... Do you know the max size of an aggragated frame
used by atheros AR5008?</DIV></BLOCKQUOTE>
<DIV><FONT face="Courier New"></FONT> </DIV>
<DIV><FONT face="Courier New">Do you mean A-MPDUs or A-MSDUs? In any case, the
AR5008 chipset supports the maximum size aggregated frames of the 802.11n draft
(2.0). Obviously, you won't see any of these aggregates when capturing with
WinPcap.</FONT></DIV>
<DIV><FONT face="Courier New"></FONT> </DIV>
<DIV><FONT face="Courier New">Have a nice day</FONT></DIV>
<DIV><FONT face="Courier New">GV</FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV dir=ltr> </DIV>
<DIV dir=ltr>Thanks.</DIV><BR>
<HR>
Se sei stanco dei soliti auguri, scarica GRATIS le emoticon di Natale! <A
href="http://www.emoticons-livemessenger.com/pages/msnitnatale/"
target=_new>Windows Live Messenger</A>
<P>
<HR>
<P></P>_______________________________________________<BR>Winpcap-users
mailing
list<BR>Winpcap-users@winpcap.org<BR>https://www.winpcap.org/mailman/listinfo/winpcap-users<BR></BLOCKQUOTE></BODY></HTML>