[Omer Shapira <omer_shapira@xxxxxxxxx>]

Hello,

I am looking for an advice of the best way to represent multiple timestamps for a packet.

First, the context. As part of my work (network stack developer for phone/computer manufacturer), I frequently find myself having to identify the amount of time that packets had spent in the different layers of the network stack. There are tools to capture packets at the different layers, and all can produce output in pcap/pcapng format, if asked nicely.

For example, consider the following (vastly simplified) diagram of a kernel network stack. One can use tcpdump as well as other tools to capture the packet timing at the different layers:

+----------------------------+

|  Transport protocols       |

|                            |

+----------------------------+

               ^              

               |              

               v              

+----------------------------+

|  Inet layer                | <- tcpdump -i iptap

|                            |

+----------------------------+

               ^              

               |              

               v              

+----------------------------+

|  Network interface layer   | <- tcpdump -i any

|  AQM and input queues      | <- tcpdump -I pktap

+----------------------------+

               ^              

               |              

               v              

+----------------------------+

|  Cellular Modem Driver     | <- proprietary trace tools specific

|                            |    to the driver software, can produce   

+----------------------------+    pcap output

               ^              

               |              

               v              

+----------------------------+

|  Cellular Modem Firmware   | <- proprietary trace tools specific

|  PDCP and similar queues   |    to the modem hardware, can produce   

+----------------------------+    pcap output (NOTE: different time domain)

While the specifics of the tracing software that can produce pcap files from the driver/firmware are proprietary (and I can not discuss those), the key takeaway is that all can produce output in the pcap/pcapng format.

Once the capture has commenced, the engineer will have a set of pcap files. The current practice is to export the cross-layer delay information into a Jupyter notebook, and continue the analysis there.

Now, the question.

I would be much happier if I could do more of the analysis within Wireshark, so that I could easily correlate, for example, excessive buffering in the driver with the SACK holes.

It seems to me that in order to do that, the timing information from the different pcap files (collected at different trace points) should be collated into a single stream of packets, with every relevant packet having multiple time stamps corresponding to the different stack layers.

I wonder whether it is possible to combine the different timing information into a single pacapng file, so that the different delays could be embedded in a single packet.

I was thinking about two approaches of embedding the timing information into pcap files:

1. Introducing additional packet metadata to the extended headers.

2. Introducing a “pseudo” protocol to represent the different layers.

I tend to like the second approach better, but I wonder what the Wireshark community can suggest?

Best regards,

  - oesh