On Feb 14, 2014, at 7:41 PM, Chris Kilgour <tec...@whiterocker.com> wrote:
> The motivation was classic pcap. I was up on pcap-ng, but did not realize
> the pcap format has an updated variant with higher-precision timestamps.
Yup. Use 0xa1b23c4d, rather than 0xa1b2c3d4, as the magic number, as per
http://www.tcpdump.org/manpages/pcap-savefile.5.html
Newer versions of libpcap have APIs to allow an application doing a live
capture to request nanosecond time stamp resolution for time stamps (which may
return PCAP_ERROR_TSTAMP_PRECISION_NOTSUP if the device doesn't support
nanosecond resolution) and to indicate, when opening a saved capture file, that
it wants seconds-and-nanoseconds time stamps rather than
seconds-and-microseconds time stamps (if the file contains
microsecond-resolution time stamps, the microseconds value is multiplied by
1000; there really should be an API to say "how precise are the time stamps in
this file").
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
