harald.schwier@xxxxxxxxxx wrote:
Hello,
i want to use the nanosecond libcap feature of ethereal 0.10.13 in order to
do some analyses in a 10 GB Eternet environment.
After realising that the Linux vanilla kernel offers a time resolution of 1000 ns,
i installed the high resolution timer patch from http://high-res-timers.sourceforge.net/
But even if i use the patched kernel, ethereal shows 000 in the nanosecond range.
Ethereal shows what libpcap gives it, and libpcap shows what the kernel
gives it.
That would require either
1) the networking stack being changed so that skbuffs get
nanosecond-resolution time stamps
or
2) a new packet capture mechanism be added that provides
nanosecond-resolution time stamps.
It'd also require changes to libpcap to support that.
Is there any information how to activate the nanosecond resolution of ethereal
with linux and/or FreeBSD?
With FreeBSD (or other BSDs) it might be a *bit* easier, in that packet
capture is done in a separate code path from the networking stack, so
you'd have to
modify catchpacket() (I think all the BSDs still have it) to get
nanosecond time stamps;
modify the BPF data structures to include a seconds/nanoseconds time
stamp - and, if the goal is to preserve source and/or binary
compatibility, add a BPF ioctl to request high-resolution time stamps;
modify libpcap to request them (if necessary) and to supply them (which
would require an API to allow an app capable of handling them to request
them).
Ethereal would then have to be modified to use the new libpcap API to
request high-resolution time stamps, if it's to be able to capture with
nanosecond resolution.