guyharris
commented
5 years ago There isn't a standard way to do that.
The pcapng format doesn't explicitly indicate what the timestamp represents; it just speaks of it as a timestamp.
And many of the capture mechanisms that provide packets to put into pcapng files don't specify that, either; packets are typically captured on network interfaces managed by the host OS's networking stack, and the timestamp of a packet is the time at which the part of the network interface that adds timestamps to packets sees the packet. This can be - and usually is - some unknown amount of time after the last bit of the packet reached the network adapter when receiving packets. When the packet is sent by the host doing the packet capture, it's some unknown amount of time before the first bit of the packet is transmitted by the network adapter.
If your protocol will require a new LINKTYPE/DLT value to put it in a pcapng (or pcap) file, I would suggest having the packets begin with a pseudo-header giving both the start time and the end time of the packet, unless you choose to make one of those times be the timestamp in the pcapng EPB.
Is there a way in the pcapng format to provide a second timestamp for a packet? I am looking at an RS485 UART serial protocol. Packets can have different BAUD rates and different delays between single Bytes. For analysing the protocol it is important to know the time gap between the end of one packet and the start of the next packet. So my question is whether a standard way exists in pcapng to have a second timestamp in a packet for the end of transmission.