Higher timestamp precision with scapy

2
votes

I have a couple of pcap files that I've created with vmnet-sniffer and with tcpdump. The files are from packets being sent in and out of a virtual machine. I'm reading the pcap files in with scapy and trying to find the inter arrival times between packets, but I can't get any resolutions higher than microseconds. Is there anyway for scapy to give better/more precise information?

My code:

a = rdpcap("test.pcap")
for A in a:
    print A.header
2
pythonvmwarescapytcpdump

2 Answers

3
votes
>>> a = rdpcap('/tmp/tmp.pcap')
>>> for A in a:
...     print('%.6f' % A.time)
... 
1429659651.461177
1429659651.461444
1429659651.461520
1429659651.461972
1429659651.462230
1429659651.465091
1429659651.465319
1429659651.465838
1429659651.466115
1429659651.466379

6 decimal places was arbitrary in the above example. The precision is much higher (with the pcap file generated on my machine at least):

>>> for A in a:
...     print('%.30f' % A.time)
... 
1429659651.461177110671997070312500000000
1429659651.461443901062011718750000000000
1429659651.461519956588745117187500000000
1429659651.461971998214721679687500000000
1429659651.462229967117309570312500000000
1429659651.465090990066528320312500000000
1429659651.465318918228149414062500000000
1429659651.465837955474853515625000000000
1429659651.466114997863769531250000000000
1429659651.466378927230834960937500000000
0
votes

Is there anyway for scapy to give better/more precise information?

Only if the pcap files you're reading have higher-precision time stamps.

For the capture file created with tcpdump, it would have had to have been captured using tcpdump 4.6 or later, linked with libpcap 1.5 or later, and captured with --time-stamp-precision nano as an option to tcpdump. Otherwise, the time stamps in the file will have only microsecond precision.

You'd have to look at the first 4 bytes of the capture file from vmnet-sniffer to see whether its time stamps have nanosecond precision (the same test will work on the capture from tcpdump). If the first 4 bytes are A1 B2 C3 D4 or D4 C3 B2 A1, the time stamps in the file don't have nanosecond precision; if they're A1 B2 3C 4D or 4D 3C B2 A1, they do.

If scapy uses libpcap to read pcap files (there are Python wrappers for libpcap), then it would also have to use special APIs to request that libpcap supply nanosecond-resolution time stamps (for backwards compatibility, libpcap will, by default, discard the higher resolution and supply seconds-and-nanoseconds time stamps even when reading nanosecond-resolution-time-stamp files). If it uses its own code to read them, that code would have to know about nanosecond-resolution time stamps.