Keep nanosecond precision

[tbarbette]

Hi all, I'm using traceanon to anonymize a trace, as one might guess.

However, my input trace has nanosecond precision. But the output one is back to microsecond.

Is there a solution to keep it? I'm using the latest ubuntu build. I also tried the version from the current git, it's still micro.

Thanks, Tom

[salcock]

Hi there,

Normally libtrace tries to preserve the original packet metadata unless you are converting to a trace format that natively has a less precise timestamp.

Would you be able to share the exact set of arguments you are passing to traceanon, as well as the output of running the file tool against your unanonymized trace file?

If you would prefer to send these to me directly rather than via a public github issue, you can email me: shane@alcock.co.nz

Thanks

[tbarbette]

Hi! Thanks for the help.

The part of interst in the command is: ssh ... "cat trace.pcap" | traceanon -c "$mykey" -s pcapfile:- pcapfile:- | ssh ... "cat - > trace-anon.pcap"

I'm not at liberty to share the trace.

Wireshark capture of the original.

After the anonymisation process (it's another packet though)

Also, picking on your attention, what would you recommend fixing the FCS and checksum? :)

Thanks, Tom

[brendonj]

I think pcap headers are always being written with the normal magic number rather than the nanosecond variant (https://github.com/LibtraceTeam/libtrace/blob/master/lib/format_pcapfile.c#L517).

This was enough for me to replicate on my machine:

$ sudo tcpdump -i eno2 -c 2 -w timestamps.pcap --time-stamp-precision=nano
$ tracesplit pcapfile:timestamps.pcap pcapfile:timestamps2.pcap
$ file timestamps.pcap timestamps2.pcap 
timestamps.pcap:  pcap capture file, nanosecond ts (little-endian) - version 2.4 (Ethernet, capture length 262144)
timestamps2.pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 65536)

[salcock]

Thanks @brendonj -- I see the problem now. I'm working on a fix now, but there are some additional complications that crop up when converting to / from other formats.

[salcock]

This problem should now be resolved. I've pushed out a new packaged release (4.0.26) that includes the fix.

Please feel free to re-open this issue if you are still experiencing issues.

[tbarbette]

Yes, it works ! Thanks !