Closed lake4790k closed 3 years ago
lake4790k
commented
3 years ago Here's the global the header and first record header of such a file:
4d 3c b2 a1 02 00 04 00 00 00 00 00 00 00 00 00
d8 7f 00 00 01 00 00 00 37 42 c2 60 a9 38 15 07The last 4 bytes (a9 38 15 07) are the ts_usec of the first record which wireshark correctly shows as 118831273 nanoseconds, while RawPacket returns a timespec with 118831000 as tv_nsec. (v21.05 on mac)
lake4790k
commented
3 years ago turns out pcap needs to be opened with pcap_open_offline_with_tstamp_precision("file.pcap", PCAP_TSTAMP_PRECISION_NANO, errbuf) otherwise libpcap itself truncates it.
seladb
commented
3 years ago hi @lake4790k , thanks for pointing this out! It's great to see that libpcap does support nanosecond resolution. Unfortunately only the newer versions of libpcap support this and no version of WinPcap :(
The one official variant of the file is a version that supports nanosecond-precision time stamps. Libpcap 1.5.0 and later can read files in that format; older versions of libpcap, and all current versions of WinPcap, cannot read it. Older versions of Wireshark cannot read it; current versions can read it and can show the full nanosecond-resolution time stamps.
In #645 it was stated that pcap files can't have nanoseconds precision, but that's not true: https://wiki.wireshark.org/Development/LibpcapFileFormat#File_Format
pcap++ will truncate the sub microseconds of such a file while wireshark shows the last 3 digits properly.