Ask Your Question
0

How to set packet timestamp in a dissector

asked 2024-10-02 16:25:25 +0000

Samuel gravatar image

I'm writing a custom dissector to parse data from a serial port. I'm passing the packets to Wireshark by sending udp packets. Wireshark seems to set the timestamp of packets based on the time of arrival into Wireshark. In my protocol, each message received on the serial port has a clock value, which is a clock value read by the firmware just prior to sending the message. I want to use this clock value to show an accurate timestamp relative to the previous packet.

For example, if my clock rate is 1 MHz, the time of arrival of the first packet is 1.0 seconds, the clock value of the first packet is 0, and the clock value of the second packet is 1000 (1 millisecond later), then I want the timestamp of the second packet to be 1.001. Is this possible? Or do I have to add a new field to my protocol which shows this clock-accurate timestamp?

edit retag flag offensive close merge delete

Comments

by sending udp packets
Please describe. Capturing with dumpcap? udpdump extcap?

Chuckc gravatar imageChuckc ( 2024-10-02 19:03:15 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2024-10-03 15:06:18 +0000

Anders gravatar image

Rather than sending the packets over udp you could have your program write them in pcap-ng file format and analyze the resulting file with wireshark.

edit flag offensive delete link more

Comments

Is it possible to write to a pcap-ng file and pipe it into Wireshark in real-time? Google says no. How about writing a pcap file and piping it into Wireshark? Google wasn't as clear on this one.

Samuel gravatar imageSamuel ( 2024-10-03 20:47:57 +0000 )edit

Please point to where "Google says no" about piping a pcapng file to Wireshark, which is in some ways easier than piping pcap data. Piping works with pcap and pcapng but not other formats.

johnthacker gravatar imagejohnthacker ( 2024-10-04 00:45:51 +0000 )edit
0

answered 2024-10-02 20:39:49 +0000

johnthacker gravatar image

The timestamp in the frame protocol is always a value written in the capture file for that frame that reflects the clock on the machine that made the capture. If you want a timestamp based on the packet payload, which would by contrast reflect the sender of the packet (possibly but not necessarily the capturing device), then you have to add a new field. Several dissectors, including the udp dissector, display times that compare a packet to a previous packet in the same stream, or requests and responses. You can look at those for ideas.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2024-10-02 16:25:25 +0000

Seen: 188 times

Last updated: Oct 03 '24