tcpdump等使用libpcap抓包軟體的時間戳記來源

tcpdump從libpcap擷取time-stamp，libpcap從OS核心擷取time stamp

When is a packet time-stamped? How accurate are the time stamps?

Q: When is a packet time-stamped? How accurate are the time stamps?

Tcpdump gets time stamps from libpcap, and libpcap gets them from the OS
kernel,

so tcpdump - and any other program using libpcap, such as
Ethereal or snoop - is at the mercy of the time stamping code in the OS
for time stamps.

In most OSes on which tcpdump and libpcap run, the packet is time
stamped as part of the process of the network interface's device driver,
or the networking stack, handling it. This means that the packet is not
time stamped at the instant that it arrives at the network interface;
after the packet arrives at the network interface, there will be a delay
until an interrupt is delivered or the network interface is polled
(i.e., the network interface might not interrupt the host immediately -
the driver may be set up to poll the interface if network traffic is
heavy, to reduce the number of interrupts and process more packets per
interrupt), and there will be a further delay between the point at which
the interrupt starts being processed and the time stamp is generated.

On some OSes, such as HP-UX, the OS kernel does not time stamp the
packet at all; instead, it's time stamped by libpcap at the time it
reads the packet from the OS kernel, which means that there will be an
even greater delay between the time the packet arrives and the time that
it's time-stamped.

Thus, the packet time stamp is not necessarily a very accurate
indication of the time it arrived at the machine that captured the
packet.

Why do my time stamps on Linux have only 100ms resolution?
時間戳記解析度只有100ms而不是1us

Q: I'm running tcpdump on Linux; why do my time stamps have
only 100ms resolution, rather than 1us resolution?

At least on x86-based machines, Linux can get high-resolution time
stamps on newer processors with the Time Stamp Counter (TSC) register;
for example, Intel x86 processors, starting with the Pentium Pro, and
including all x86 processors since then, have had a TSC, and other
vendors probably added the TSC at some point to their families of x86
processors.

The Linux kernel must be configured with the CONFIG_X86_TSC option
enabled in order to use the TSC. Make sure this option is enabled in
your kernel.

In addition, some Linux distributions may have bugs in their versions of
the kernel that cause packets not to be given high-resolution time
stamps even if the TSC is enabled. See, for example, bug 61111 for Red
Hat Linux 7.2. If your distribution has a bug such as this, you may
have to run a standard kernel from kernel.org in order to get
high-resolution time stamps.