Wireshark-users: Re: [Wireshark-users] Raw socket performance
From: kowsik <kowsik@xxxxxxxxx>
Date: Mon, 28 Jun 2010 17:00:51 -0700
Depends on which process opens the socket first. The kernel copies
incoming packets to these "taps" one at a time in sequence. Did you
try launching 'P' first before Wireshark?

K.
---
http://www.pcapr.net
http://twitter.com/pcapr
http://labs.mudynamics.com

On Mon, Jun 28, 2010 at 4:49 PM, Bryan Hoyt | Brush Technology
<bryan@xxxxxxxxxxx> wrote:
> Hi there,
>
> I'm using Wireshark to capture data that I'm receiving via a raw
> socket (on linux) in another process (let's call it 'P').
>
> I record the timestamp of each packet P receives, and compare that
> with wireshark's timestamp. Wireshark *always* receives the data
> ~10-30us before P does. But theoretically, they should both be on
> equal footing, because wireshark captures the data in the same way as
> P (via a raw socket).
>
> Why am I seeing this difference?
>
>  - Bryan
>
> --
> Bryan Hoyt, Web Development Manager  --  Brush Technology
> Ph: +64 3 942 7833     Mobile: +64 21 238 7955
> Web: brush.co.nz
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe