Wireshark UI displays packet arrival with nanosecond precision. libpcap uses timeval in pcap_pkthdr structure , which is returned by read pcap file routines . However timeval precision is in microseconds How can I read files and see timestamps with nsec ?
libpcap uses timeval in pcap_pkthdr structure , which is returned by read pcap file routines . However timeval precision is in microseconds How can I read files and see timestamps with nsec ?
If you mean "How can I read fileswith libpcap and see timestamps with nsec ?", that's a libpcap question, rather than a Wireshark question.
But the answer is that, with newer versions of libpcap, you open the file with pcap_open_offline_with_tstamp_precision() rather than with pcap_open_offline(), and you pass it PCAP_TSTAMP_PRECISION_NANO as the second argument.
If you do that, the timeval structure will be filled in with a seconds value and a nanoseconds value. I.e., tv_usec will, the "user" notwithstanding, be filled in with a count of nanoseconds.
Note that this will be the case even for pcap and pcapng files with microsecond precision. There is currently no way to inquire what the precision of the capture file is.
I saw pcap_open_offline_with_tstamp_precision() in the header file, however I could not find any information suggesting to view tv_usec as nanoseconds. And I sill cannot. I made code changes and now can confirm that timestamps match values displayed by Wireshark. Thank you for the reply! It is very useful.
Comments
Some capture file formats support higher resolutions, e.g. ERF files from Endace.
And e.g. pcap files with a magic number of 0xA1B23C4D, which is what they're trying to read, using libpcap.
Thank you. This is helpful.