Hello,
Reading the 52 page specification on Pcapng, I've stumbled upon the following when trying to figure out timestamps.
Timestamp (High) and Timestamp (Low): upper 32 bits and lower 32 bits of a 64-bit timestamp. The timestamp is a single 64-bit unsigned integer that represents the number of units of time that have elapsed since 1970-01-01 00:00:00 UTC. The length of a unit of time is specified by the ’if_tsresol’ option (see Figure 10) of the Interface Description Block referenced by this packet. Note that, unlike timestamps in the libpcap file format, timestamps in Enhanced Packet Blocks are not saved as two 32-bit values that represent the seconds and microseconds that have elapsed since 1970-01-01 00:00:00 UTC. Timestamps in Enhanced Packet Blocks are saved as two 32-bit words that represent the upper and lower 32 bits of a single 64-bit quantity. (Page 23 - 24)
http://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?url=https://raw.githubusercontent.com/pcapng/pcapng/master/draft-tuexen-opsawg-pcapng.xml&modeAsFormat=txt/pdf&type=ascii
The specification mentions a couple of things:
"The amount of units"... What are these units? Nanoseconds, I presume. Is this correct?
The specification states that these "Timestamps in Enhanced Packet Blocks are saved as two 32-bit words that represent the upper and lower 32 bits of a single 64-bit quantity"... What does this mean?
How do I take an upper quantity of: 368776 and a lower quantity of 4040501221 and turn it into: Mar 10, 2020 19:01:40.000050917 Central Daylight Time? The hex dump of this timestamp is: 88 a0 05 00 e5 27 d5 f0
Thank you for your help.
