[Winpcap-users] Timestamp utility

Gianluca Varenni gianluca.varenni at cacetech.com
Tue Dec 11 18:17:15 GMT 2007 

  ----- Original Message ----- 
  From: Claudio Raiti 
  To: Winpcap Users 
  Sent: Tuesday, December 11, 2007 8:18 AM
  Subject: [Winpcap-users] Timestamp utility


  Hi Gianluca,
  thanks for your answer.
   
  But, at this point, i have a doubt: What is the utility of pcap timestamps if these ones are so far to be precise?

This is how it works with all the software-only solutions. This is how the original BSD packet capture system (BPF+libpcap) worked. Timestamps are generated as soon as the OS is able to process the packets. Which means later than the actual reception time in the hardware. Utility? They are an estimate of when the packets got received. How good? I cannot quantify that (and neither any other software-only solution on linux/bsd/... can). They are good when computing bandwidth and similar things. They are good enough to be used by all the applications like snort, nmap and ntop. As you've already seen, they are not good in some other cases e.g. if you want to validate the inter packet arrival with microsecond precision. For that, you need a solution with hardware-based timestamps. Being it linux with some particular wireless cards, putting the card in monitor mode, and hoping that the wifi card returns hardware timestamps, or something else like AirPcap.
  I didn't know the interrupt mitigation you told me in my first message, so i chose to use pcap library believing that that library could give me good timestamps. Now you let me know that mitigation, so i think my doubt is 

  justified.

As i said, off-the-shelf network cards are usually not designed with packet capture in mind (i mean, related to generation of timestamps). 

  Is there a limit of precision i could use in my experiments or is all dependant on my hardware?

Unfortunately, there is no guaranteed upper limit. It depends on a number of factors, including the hardware, the NIC driver, and the mere fact that you are working on a non-realtime OS (being it windows or a standard unix flavor). In the end, one of the main factors for the jitter in the timestamps is probably interrupt mitigation. 

  Another thing... Do you know the max size of an aggragated frame used by atheros AR5008?

Do you mean A-MPDUs or A-MSDUs? In any case, the AR5008 chipset supports the maximum size aggregated frames of the 802.11n draft (2.0). Obviously, you won't see any of these aggregates when capturing with WinPcap.

Have a nice day
GV

  Thanks.


------------------------------------------------------------------------------
  Se sei stanco dei soliti auguri, scarica GRATIS le emoticon di Natale! Windows Live Messenger 


------------------------------------------------------------------------------


  _______________________________________________
  Winpcap-users mailing list
  Winpcap-users at winpcap.org
  https://www.winpcap.org/mailman/listinfo/winpcap-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20071211/1085d98f/attachment-0001.htm

More information about the Winpcap-users mailing list