Wireshark-users: Re: [Wireshark-users] measuring latency with wireshark

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 29 Apr 2010 12:22:13 -0700
On Apr 29, 2010, at 12:05 PM, Anders Broman wrote:

> Mag Gam skrev 2010-04-29 13:56:
>> I work in a networking group where we need very low latency speeds for
>> our research applications. Are there any tutorials or howtos to
>> measure latency with wireshark? I am looking for a nanosecond
>> precision. Is wireshark the correct tool to do this?
>> 
> Probably not if you need that kind of precision, see 
> http://wiki.wireshark.org/Timestamps

I.e., the issue is less with Wireshark than with the underlying capture mechanism it uses.  If you need very accurate time stamp measurements, you might have to use specialized hardware or specialized software to capture the traffic - if you capture using the mechanisms offered by most UN*Xes, or on Windows with WinPcap atop NDIS, the time stamping of a packet is done by the host when it sees the packet, but there could be a significant delay between the arrival of the last bit of the packet by the network adapter and the delivery of the packet to the host, due to interrupt latency and interrupt batching/polling.

Specialized hardware that might help includes capture hardware from Endace:

	http://www.endace.com/

(supported by libpcap on Linux and, I think, FreeBSD and Windows), CACE Technologies:

	http://www.cacetech.com/products/turbocap.html

(supported only on Windows, I think), and possibly others - I don't know whether any free designs exist for capture boards.

Whether running Wireshark to do the capture, or just directly running tcpdump or dumpcap (the program Wireshark runs to capture traffic) or some other program to capture to a file and then looking at it later in Wireshark, is another matter.