Software-Based Packet Capturing with High Precision Timestamping for Linux

Widely used network measurement applications, such as tcpdump and Wireshark, use the same common libpcap packet capture library. Libpcap assigns a 10-6 second precision timestamp to all processed frames. Higher physical bandwidth implies shorter inter-arrival times between consecutive frames. Therefore timestamp precision must be proportional to the link speed. Latest version 1.0.x of libpcap provides 10-6 second native resolution, however pcap format supports a larger 2 x 32-bit timestamp value for each stored packets. On Gigabit Ethernet or faster networks, timestamp resolution that works in the microsecond domain may not enable us to precisely reproduce the time-domain relation between consecutive frames. Therefore overall analysis of the data transmission could drive to a false result. Independently from one other, five impact factors could directly bias the generation of timestamps: hardware architecture, NIC driver operation mode, clock source, kernel queue handler and the libpcap itself. In an idealized case generated timestamps are always converging and suitably close to the real arrival or transmission time of each frames so to conserve the original inter-arrival time values. For packet capturing with libpcap, it is assumed that timestamping performed when a frame is enqueued to the kernel’s input packet queue. Accordingly these timestamps represents the time moment when a frame reaches the input queue. Libpcap must retrieve these timestamps from the kernel. Timestamp resolution of network measurement applications must be increased according to the requirements of advanced high speed data networks. In our paper we are going to show an alternative libpcap-based solution that features nanosecond precision timestamping.