捕获实时流量时如何打开纳秒精度? [英] How do I turn on nanosecond precision when capturing live traffic?
问题描述
在捕获实时数据包时,如何告诉 libpcap v1.6.2 在 struct pcap_pkthdr::ts.tv_usec 中存储纳秒值(而不是微秒值)?
(注意:这个问题类似于如何在 libpcap 中捕获实时数据包时启用纳秒分辨率? 但这个问题很模糊,我决定提出一个新问题.)
对于离线和死"捕获,可以使用以下函数告诉 libpcap 用纳秒值填充 struct pcap_pkthdr 的 ts.tv_usec 成员:
pcap_open_dead_with_tstamp_precision()pcap_open_offline_with_tstamp_precision()pcap_fopen_offline_with_tstamp_precision()
不幸的是,似乎没有_with_tstamp_precision变体pcap_open_live() 或 pcap_create().
我相信以纳秒分辨率捕获实时数据包应该是可能的,因为 changelog对于 v1.5.0 说(强调我的):
<块引用>添加对获取纳秒分辨率时间戳的支持捕获时和读取捕获文件
我确实看到了pcap_set_tstamp_type()函数和 pcap-tstamp 手册页,其中说:
PCAP_TSTAMP_HOST—host:由正在执行捕获的主机提供的时间戳.此时间戳的精度未指定;它可能与主机操作系统的时钟同步,也可能不同步.PCAP_TSTAMP_HOST_LOWPREC—host_lowprec:由正在执行捕获的主机提供的时间戳.这是一个低精度时间戳,与主机操作系统的时钟同步.PCAP_TSTAMP_HOST_HIPREC—host_hiprec:由正在执行捕获的主机提供的时间戳.这是一个高精度的时间戳;它可能会或可能不会与主机操作系统的时钟同步.获取可能比PCAP_TSTAMP_HOST_LOWPREC更昂贵.PCAP_TSTAMP_ADAPTER—adapter:由正在执行捕获的网络适配器提供的时间戳.这是一个高精度时间戳,与主机操作系统的时钟同步.PCAP_TSTAMP_ADAPTER_UNSYNCED—adapter_unsynced:由正在执行捕获的网络适配器提供的时间戳.这是一个高精度的时间戳;它与主机操作系统的时钟不同步.
这里的短语高精度时间戳"是否意味着纳秒值存储在标头的 ts.tv_usec 字段中?如果是这样,PCAP_TSTAMP_HOST 说未指定",那么我如何在运行时确定 ts.tv_usec 字段是微秒还是纳秒?如果 pcap_set_tstamp_type() 永远不会被调用,那么哪些是默认值?
pcap_create() 几乎没有为捕获设备设置参数,并且没有其他调用来设置这些参数;这是设计使然.引入 pcap_create() 和 pcap_activate() 时的意图是,为了支持新参数,无需更改这两个调用,并且随着新参数的引入,将引入新的 API.
您应该调用 pcap_create() 来创建一个尚未激活的句柄,使用适当的调用设置参数,然后尝试使用 pcap_activate().
适当的调用之一是 pcap_set_tstamp_precision(),这是您在 pcap_create() 和 pcap_activate() 之间使用的调用来指定你想要纳秒精度的时间戳.默认为微秒精度时间戳,用于向后源和二进制兼容性.
注意pcap_set_tstamp_precision() 将失败,如果你不能从你正在捕获的设备上获得纳秒精度的时间戳,所以你必须检查它是成功还是失败或调用 pcap_get_tstamp_precision() 激活 pcap_t 后,以查看您将获得的时间戳精度.
而且,不,高精度"与你得到的是微秒还是纳秒无关,它与标称的微秒或纳秒值是否真的提供微秒或纳秒粒度有关,或者你是否总能得到值这是 10 的幂的倍数,因为所使用的时钟不能精确到微秒或纳秒.
How do I tell libpcap v1.6.2 to store nanosecond values in struct pcap_pkthdr::ts.tv_usec (instead of microsecond values) when capturing live packets?
(Note: This question is similar to How to enable nanosecond resolution when capturing live packets in libpcap? but that question is vague enough that I decided to ask a new question.)
For offline and "dead" captures, the following functions can be used to tell libpcap to fill the struct pcap_pkthdr's ts.tv_usec member with nanosecond values:
pcap_open_dead_with_tstamp_precision()pcap_open_offline_with_tstamp_precision()pcap_fopen_offline_with_tstamp_precision()
Unfortunately, there does not appear to be _with_tstamp_precision variants for pcap_open_live() or pcap_create().
I believe that capturing live packets with nanosecond resolution should be possible, because the changelog for v1.5.0 says (emphasis mine):
Add support for getting nanosecond-resolution time stamps when capturing and reading capture files
I did see the pcap_set_tstamp_type() function and the pcap-tstamp man page, which says:
PCAP_TSTAMP_HOST—host: Time stamp provided by the host on which the capture is being done. The precision of this time stamp is unspecified; it might or might not be synchronized with the host operating system's clock.PCAP_TSTAMP_HOST_LOWPREC—host_lowprec: Time stamp provided by the host on which the capture is being done. This is a low-precision time stamp, synchronized with the host operating system's clock.PCAP_TSTAMP_HOST_HIPREC—host_hiprec: Time stamp provided by the host on which the capture is being done. This is a high-precision time stamp; it might or might not be synchronized with the host operating system's clock. It might be more expensive to fetch thanPCAP_TSTAMP_HOST_LOWPREC.PCAP_TSTAMP_ADAPTER—adapter: Time stamp provided by the network adapter on which the capture is being done. This is a high-precision time stamp, synchronized with the host operating system's clock.PCAP_TSTAMP_ADAPTER_UNSYNCED—adapter_unsynced: Time stamp provided by the network adapter on which the capture is being done. This is a high-precision time stamp; it is not synchronized with the host operating system's clock.
Does the phrase "high-precision time stamp" here mean that nanosecond values are stored in the header's ts.tv_usec field? If so, PCAP_TSTAMP_HOST says "unspecified", so how do I determine at runtime whether the ts.tv_usec field holds microseconds or nanoseconds? And which of these is the default if pcap_set_tstamp_type() is never called?
pcap_create() does little if anything to set parameters for the capture device, and has no alternative calls for setting those parameters; this is by design. The intent, at the time pcap_create() and pcap_activate() were introduced, was that neither of those calls would have to be changed in order to support new parameters, and that new APIs would be introduced as new parameters are introduced.
You're supposed to call pcap_create() to create a not-yet-activated handle, set the parameters with the appropriate calls, and then attempt to activate the handle with pcap_activate().
One of the appropriate calls is pcap_set_tstamp_precision(), which is the call you use between pcap_create() and pcap_activate() to specify that you want nanosecond-precision time stamps. The default is microsecond-precision time stamps, for backwards source and binary compatibility.
Note that pcap_set_tstamp_precision() will fail if you can't get nanosecond-precision time stamps from the device on which you're capturing, so you must check whether it succeeds or fails or call pcap_get_tstamp_precision() after activating the pcap_t in order to see what time stamp precision you'll be getting.
And, no, "high-precision" has nothing to do with whether you get microseconds or nanoseconds, it has to do with whether the nominal microseconds or nanoseconds value really provide microsecond or nanosecond granularity or whether you'll always get values that are multiples of a power of 10 because the clock being used doesn't measure down to the microsecond or nanosecond.
这篇关于捕获实时流量时如何打开纳秒精度?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
