Re: nanosecond timestamp

[Guy Harris <guy () alum mit edu>]

On Dec 9, 2004, at 12:48 PM, Dumas Hwang wrote:

>             I would like to get nanosecond resolution on Solaris in
> libpcap.  What's the best way to go about it?  I suppose it's not a 
> good
> idea to change struct timeval ts in pkthdr to timespec.

That would be an amazingly bad idea (and it was an amazingly bad idea 
when IBM did it; they then proceeded to make it worse when they also 
used SNMP interface types rather than the "we started with ARP types 
but then just added new types" DLT_ values, so that not only are the 
time stamps different from what a program expecting a libpcap file 
would expect, the *link-layer type values in the file header* are 
different - Ethereal has some hacks to try to guess whether the file is 
an AIX file or not, and if we're willing to give up the ability to read 
pre-libpcap-0.4 PPP captures, libpcap could adopt those hacks, too).

> Should I add a new struct and request a new magic number?  I would 
> think many people
> need nanosecond resolution (if not picosecond).

That's probably a reasonable short-term answer, if you need this soon.  
I wouldn't do much of anything more in the new format, though, because 
the right long term answer is

        http://www.tcpdump.org/pcap/pcap.html

which supports a number of new things, including the ability to specify 
the accuracy of time stamps.  It'd be nice to add the ability to *read* 
that format to libpcap 0.9, but still have it write the old format, so 
that when we add the ability to *write* that format, there will be at 
least some versions of libpcap that will be able to handle new-format 
captures with only one interface.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.