In message <79722fad0509240512364a1f80@mail.gmail.com>, Vlad GALU writes:
>On 9/24/05, Tonnerre <tonnerre@thundrix.ch> wrote:
>> Salut,
>>
>> On Sat, Sep 24, 2005 at 10:01:45AM +0200, Zeljko Vrba wrote:
>> > To explain in details:
>> >
>> > 1. I expect to receive incoming almost full 1Gbit of traffic on bge1. I
>> > will not be doing any outgoing traffic.
>> >
>> > 2. I don't need any network stack processing. After the ethernet frame
>> > is received, I want to record the following data only:
>> >   - arrival time, as precise as possible (read local APIC?)
>> >   - full TCP/UDP/IP header (I can parse eth frame myself, if neccessary)
>> >   - the data load I will discard
>> >
>> > 3. The collected data needs to be written to disk. As few as possible
>> > frames should be lost.
>>
>> This can probably be done easiest by using pf and pflogd. Just drop and
>> log all packets on the interface, and disable outgoing just for not having
>> to bother with it. If the processor is fast enough...
>>
>
>  That's overkill. Why not simply use bpf ? It's fast enough for most
>needs, be they hardcore or not.
>

Does bpf provide an accurate-enough timestamp?  The better experiments 
I've seen that involve timestamped packet capture tend to do the 
timestamping in the driver itself.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb