Hi Alfredo, After checkout the newest commit, I observed 1 fix needed and 3 behavioral changes:
1. one more line need to be changed to have proper time stamp:
/userland/libpcap-1.7.4/pcap-linux.c
@@ -1709,7 +1709,7 @@ pcap_read_packet(pcap_t *handle, pcap_handler
callback, u_char *userdata)
caplen = pcap_header.caplen, packet_len =
pcap_header.len;
if (pcap_header.extended_hdr.timestamp_ns
&& handle->opt.tstamp_precision == PCAP_TSTAMP_PRECISION_NANO) {
pcap_header.ts.tv_sec =
pcap_header.extended_hdr.timestamp_ns / 1000000000;
- pcap_header.ts.tv_usec =
pcap_header.extended_hdr.timestamp_ns % 1000;
+ pcap_header.ts.tv_usec =
pcap_header.extended_hdr.timestamp_ns % 1000000000;
1. time stamp read by tcpdump different from wireshark
In wireshark, the time stamp is read correctly with
nanosecond precision. In tcpdump, the nanosecond fraction is a constant and
vary everytime we read the file.
1. incorrect packet content and filter not applicable.
The whole packet frame have wrong length and unable to
decode the correct content from MAC level.
Attached the pcap file captured.
Best,
Mark
2016-06-03 1:35 GMT+08:00 Alfredo Cardigliano <[email protected]>:
> Hi Marco
> you are right, the pcap header is nsec but the time in the packet header
> is actually usec, thus wireshark treats it as nsec,
> I made some changes to libpcap on github, please update and let me know if
> it fixes this issue.
>
> Alfredo
>
c.pcap
Description: Binary data
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
