Depends on which process opens the socket first. The kernel copies
incoming packets to these "taps" one at a time in sequence. Did you
try launching 'P' first before Wireshark?
K.
---
http://www.pcapr.net
http://twitter.com/pcapr
http://labs.mudynamics.com
On Mon, Jun 28, 2010 at 4:49 PM, Bryan Hoyt | Brush Technology
<bryan@xxxxxxxxxxx> wrote:
> Hi there,
>
> I'm using Wireshark to capture data that I'm receiving via a raw
> socket (on linux) in another process (let's call it 'P').
>
> I record the timestamp of each packet P receives, and compare that
> with wireshark's timestamp. Wireshark *always* receives the data
> ~10-30us before P does. But theoretically, they should both be on
> equal footing, because wireshark captures the data in the same way as
> P (via a raw socket).
>
> Why am I seeing this difference?
>
> - Bryan
>
> --
> Bryan Hoyt, Web Development Manager -- Brush Technology
> Ph: +64 3 942 7833 Mobile: +64 21 238 7955
> Web: brush.co.nz
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe