• Displaying Hardware Timestamps in Wireshark

 
 
Print Friendly, PDF & Email

Overview

The Arista 7150S enables highly accurate timestamps (3ns granularity, 10ns accuracy) to be applied to all traffic flowing through the switch.

In this post we are presenting how you can quickly display hardware timestamps imposed by the Arista 7150S platform. This method does not need any special software to convert the frames. You simply need to run a live capture with Wireshark, or load a PCAP file.

If you need more details on hardware timstamping on the Arista 7150S, then please refer to this article:
https://eos.arista.com/timestamping-on-the-7150-series/

Here is an example of the timestamps being displayed in hex as a column in Wireshark:

    Screen-Shot-2013-07-05-at-11.49.441

 

Setting up Wireshark

To enable the display of timestamp in a Wireshark column, follow the instructions below:

  1. Right-click the column header and click ‘Column Preferences’
  2. Wireshare_Timestamp_1-1024x561

     

  3. Click ‘+ Add’
  4. Wireshare_Timestamp_2-1024x562

     

  5. For Field Type, choose ‘Custom’
  6. Wireshare_Timestamp_4-1024x565

     

  7. Enter in Field Name, ‘vlan.trailer’
  8. Wireshare_Timestamp_3-1024x561

     

  9. Give the column a title, i.e. ‘Timestamp’
  10. Wireshare_Timestamp_5

     

  11. You will now see the Timestamp column to the far right of the pane.
  12. wshark7

 

Alternatives

For more convenient timestamp consumption, some commercial software such as Corvil, TS Associates, and Packet2Disk provide the ability to decode the timestamps in hardware on the fly, at line rate.

If you have much lower performance requirements, or if you don’t need to decode timestamps on the fly but could be satisfied with a post-processing mechanism, then you could use a script to resolve the hardware timestamps into a high precision PCAP timestamp.

Such solution employs a script, provided by Arista. For more details regarding this please review this article:
https://eos.arista.com/decoding-utc-from-the-timestamps-on-7150-series/

 

Classical libpcap format only supports microsecond precision, therefore the decoding of the hardware timestamp was losing some precision in the decoding process. The recent version uses an enhanced timestamp format which has nanosecond granularity. This format is only available in relatively recent versions of Wireshark (e.g. 1.10.5+), which allows the ability to see the PCAP timestamps in nanoseconds.

Once a pcap file has been recorded with high precision pcap timestamps, it can be viewed in Wireshark, as per the below capture

 

Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: