gpt4 book ai didi

tcpdump的时间精度怎么来的?

转载 作者:行者123 更新时间:2023-12-02 01:03:18 24 4
gpt4 key购买 nike

我想以低时间分辨率(以毫秒为单位)而不是默认的微秒获取 tcpdump。

在 tcpdump 手册中,我得到了 -j 参数,其精度可以接受为“host_lowprec”和“host_hiprec

tcpdump -i any -n -j host_lowprec "tcp"

我有两个问题:

  1. host_lowprec = ?精确和host_hiprec =?精度

  2. 我可以将精度设置为毫秒或纳秒吗?如果是怎么办?

最佳答案

回答你的第一个问题:

The tcpdump man page说到 -j 选项:

-j tstamp_type
--time-stamp-type=tstamp_type
Set the time stamp type for the capture to tstamp_type. The names to use for the time stamp types are given in pcap-tstamp(7); not all the types listed there will necessarily be valid for any given interface.

pcap-tstamp(7) 手册页说:

... The time stamp types are listed here; the first value is the #define to use in code, the second value is the value returned by pcap_tstamp_type_val_to_name() and accepted by pcap_tstamp_type_name_to_val().

PCAP_TSTAMP_HOST - host
Time stamp provided by the host on which the capture is being done. The precision of this time stamp is unspecified; it might or might not be synchronized with the host operating system's clock.

PCAP_TSTAMP_HOST_LOWPREC - host_lowprec
Time stamp provided by the host on which the capture is being done. This is a low-precision time stamp, synchronized with the host operating system's clock.

PCAP_TSTAMP_HOST_HIPREC - host_hiprec
Time stamp provided by the host on which the capture is being done. This is a high-precision time stamp; it might or might not be synchronized with the host operating system's clock. It might be more expensive to fetch than PCAP_TSTAMP_HOST_LOWPREC.

PCAP_TSTAMP_ADAPTER - adapter
Time stamp provided by the network adapter on which the capture is being done. This is a high-precision time stamp, synchronized with the host operating system's clock.

PCAP_TSTAMP_ADAPTER_UNSYNCED - adapter_unsynced
Time stamp provided by the network adapter on which the capture is being done. This is a high-precision time stamp; it is not synchronized with the host operating system's clock.

host_lowprechost_hiprec 都没有指定精确的精度。使用 -j 设置的精度不会影响时间戳在捕获文件中的存储方式;它们将以秒和微秒的形式存储,除非您有支持 --time-stamp-precision 选项的更新版本的 tcpdump 并且操作系统可以提供纳秒时间戳,在这种情况下,它们将存储为秒和纳秒,并且文件将具有不同的“魔数(Magic Number)”,以便 tcpdump/Wireshark/etc.可以正确读取时间戳。

所有 -j 选项控制的是多少微秒(或纳秒)值是重要的。

第二个问题的回答:

pcap 文件中没有将时间存储为秒和毫秒的机制,也没有明确的选项要求微秒(或纳秒)值只有 3 位有效数字。

有一个选项可以请求将时间戳存储为秒和纳秒。如果您正在进行实时捕获,则仅当操作系统支持在捕获时提供秒和纳秒时间戳时才有效;这目前仅适用于较新版本的 Linux。

你想在这里完成什么?

关于tcpdump的时间精度怎么来的?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/25619631/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com