Ask Your Question
0

reading pcap files with nanosecond precision

asked 2021-06-08 00:38:57 +0000

edaniley gravatar image

Wireshark UI displays packet arrival with nanosecond precision. libpcap uses timeval in pcap_pkthdr structure , which is returned by read pcap file routines . However timeval precision is in microseconds How can I read files and see timestamps with nsec ?

edit retag flag offensive close merge delete

Comments

Some capture file formats support higher resolutions, e.g. ERF files from Endace.

grahamb gravatar imagegrahamb ( 2021-06-08 10:05:06 +0000 )edit

And e.g. pcap files with a magic number of 0xA1B23C4D, which is what they're trying to read, using libpcap.

Guy Harris gravatar imageGuy Harris ( 2021-06-08 22:17:33 +0000 )edit

Thank you. This is helpful.

edaniley gravatar imageedaniley ( 2021-06-09 20:18:20 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-06-08 09:28:01 +0000

Guy Harris gravatar image

libpcap uses timeval in pcap_pkthdr structure , which is returned by read pcap file routines . However timeval precision is in microseconds How can I read files and see timestamps with nsec ?

If you mean "How can I read fileswith libpcap and see timestamps with nsec ?", that's a libpcap question, rather than a Wireshark question.

But the answer is that, with newer versions of libpcap, you open the file with pcap_open_offline_with_tstamp_precision() rather than with pcap_open_offline(), and you pass it PCAP_TSTAMP_PRECISION_NANO as the second argument.

If you do that, the timeval structure will be filled in with a seconds value and a nanoseconds value. I.e., tv_usec will, the "user" notwithstanding, be filled in with a count of nanoseconds.

Note that this will be the case even for pcap and pcapng files with microsecond precision. There is currently no way to inquire what the precision of the capture file is.

edit flag offensive delete link more

Comments

I saw pcap_open_offline_with_tstamp_precision() in the header file, however I could not find any information suggesting to view tv_usec as nanoseconds. And I sill cannot. I made code changes and now can confirm that timestamps match values displayed by Wireshark. Thank you for the reply! It is very useful.

edaniley gravatar imageedaniley ( 2021-06-08 11:07:02 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2021-06-08 00:38:57 +0000

Seen: 95 times

Last updated: Jun 08