Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PCAP-NG Timestamp Units

From: Guy Harris <guy () alum mit edu>
Date: Thu, 16 Jun 2016 22:41:28 -0700
On Jun 16, 2016, at 9:47 PM, Paul Offord <Paul.Offord () advance7 com> wrote:
 


The document PCAP Next Generation (pcapng) Capture File Format describes the timestamp value like this:
 
The timestamp is a single 64-bit unsigned integer representing the number of units since 1/1/1970 00:00:00 UTC.
 
The document doesn’t define “units”.  Is a unit a microsecond?


What the document says in the "Interface Definition Block" section:

        
http://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?url=https://raw.githubusercontent.com/pcapng/pcapng/master/draft-tuexen-opsawg-pcapng.xml&modeAsFormat=html/ascii&type=ascii#rfc.section.4.2

is

        if_tsresol:

        The if_tsresol option identifies the resolution of timestamps. If the Most Significant Bit is equal to zero, 
the remaining bits indicates the resolution of the timestamp as a negative power of 10 (e.g. 6 means microsecond 
resolution, timestamps are the number of microseconds since 1/1/1970). If the Most Significant Bit is equal to one, the 
remaining bits indicates the resolution as as negative power of 2 (e.g. 10 means 1/1024 of second). If this option is 
not present, a resolution of 10^-6 is assumed (i.e. timestamps have the same resolution of the standard 'libpcap' 
timestamps).

        Example: '6'.

and in the "Enhanced Packet Block" section:

        
http://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?url=https://raw.githubusercontent.com/pcapng/pcapng/master/draft-tuexen-opsawg-pcapng.xml&modeAsFormat=html/ascii&type=ascii#rfc.section.4.3

is:

        The Enhanced Packet Block has the following fields: 

                ...

        * Timestamp (High) and Timestamp (Low): high and low 32-bits of a 64-bit quantity representing the timestamp. 
The timestamp is a single 64-bit unsigned integer representing the number of units since 1/1/1970 00:00:00 UTC. The way 
to interpret this field is specified by the 'if_tsresol' option (see Figure 10) of the Interface Description block 
referenced by this packet. Please note that differently from the libpcap file format, timestamps are not saved as two 
32-bit values accounting for the seconds and microseconds since 1/1/1970. They are saved as a single 64-bit quantity 
saved as two 32-bit words.

So a "unit", for a packet that arrived on a particular interface, is whatever the time stamp resolution is on that 
interface.  The *default* meaning of a "unit" is 1 microsecond, but it can be set to other powers of 10 or 2, e.g. 1 
nanosecond.

It should probably make it clearer what a "unit" is in the EPB section.  I'll look at improving that.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: