libpcap uses timeval in pcap_pkthdr structure , which is returned by read pcap file routines . However timeval precision is in microseconds How can I read files and see timestamps with nsec ?
If you mean "How can I read fileswith libpcap and see timestamps with nsec ?", that's a libpcap question, rather than a Wireshark question.
But the answer is that, with newer versions of libpcap, you open the file with pcap_open_offline_with_tstamp_precision()
rather than with pcap_open_offline()
, and you pass it PCAP_TSTAMP_PRECISION_NANO
as the second argument.
If you do that, the timeval structure will be filled in with a seconds value and a nanoseconds value. I.e., tv_usec
will, the "user" notwithstanding, be filled in with a count of nanoseconds.
Note that this will be the case even for pcap and pcapng files with microsecond precision. There is currently no way to inquire what the precision of the capture file is.
Some capture file formats support higher resolutions, e.g. ERF files from Endace.
And e.g. pcap files with a magic number of 0xA1B23C4D, which is what they're trying to read, using libpcap.
Thank you. This is helpful.