Yes, that's the behavior I have implemented in Wireshark and our internal tools.
--scott > On Jan 5, 2017, at 8:52 PM, Guy Harris <g...@alum.mit.edu> wrote: > >> On Jan 5, 2017, at 8:48 PM, Scott Deandrea <sdeand...@apple.com> wrote: >> >> The mach absolute time base is different between ARM and x86/x64 though >> developers won’t have access to packet capture on iOS devices (internally >> the packet capture is used on iOS devices). The developers that would be >> using this software capture are familiar with the Mach Absolute Time format >> as it is the same values returned by the real software stack so I don’t see >> any need to change the format to nanoseconds. > > ...so a Wireshark dissector, or tcpdump printer, for these packets would > presumably just show the time stamps as a raw 64-bit value, without any > interpretation, and leave it up to the person reading the capture to > interpret it. _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
