tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

record capture time period in the .pcap file

From: Denis Ovsienko <denis () ovsienko info>
Date: Sun, 08 Oct 2017 13:04:30 +0100
Hello list.

It had recently crossed my mind that it would be useful to know when a packet capture started and when it finished. 
This is currently not the same as the timestamps of the first and the last packet in the file.

For example, if you see a single DNS query in the file and you expect multiple queries, it helps to know that the 
capture actually lasted for the 3-hour period of time you are troubleshooting and not for random few seconds around 
that single packet, for whatever reason.

Whilst it is not too late to consider this for pcapng format, in a traditional .pcap file the only reasonable way to 
record this information seems to be injecting two made-up packets at the beginning and the end, such that the 
timestamps of those packets encode the timeframe of the whole capture. Would zero-length packets be the best data units 
for that purpose, considering both old and new implementations?

-- 

    Denis Ovsienko




_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Previous By Date Next
Previous By Thread Next

Current thread: