Wireshark-dev: Re: [Wireshark-dev] PCAP

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 9 Jun 2008 18:23:49 -0700

On Jun 9, 2008, at 9:39 AM, Nicholas Marra wrote:

I’m adding a feature to a dissector I created that compares the System PCAP timestamp with the Dissected Message Timestamp. The goal is to compare the two timestamps and see if they are off by a certain amount of time. I located the PCAP Timestamp within the dissect_frame function in the packet-frame.c file. This is located in the wireshark/epan/dissectors directory. The Message Timestamp is located in wireshark/plugins/dar. I included the appropriate header files in both the packet-frame.c and my plugin c file. I set a variable in both c files to store the value of the times. However, I have been unable to get the variables to be set at the right time. I need the PCAP Timestamp value to be passed to my plugin c file for use in my comparison. Does anyone have any suggestions on how I may do this?

As Jaap Keuter noted, you get the pcap time stamp from pinfo->fd- >abs_ts, just as the dissect_frame() function does. If your plugin is a dissector, it gets passed a pinfo pointer, which it can use to get the pcap time stamp.

Note, however, that the pcap timestamp for a packet captured from a regular network interface (as opposed to a special capture-only interface that supplies its own time stamps, such as a device from Endace or CACE Technologies) is the system time at the point when the packet was time-stamped; that's the point at which the part of the networking stack that time-stamps packets sees the packet, which could be a significant time *after* the packet was received by the host for incoming packets, and is some time *before* the packet is transmitted for outgoing packets.

I.e., unless you're capturing on a device such as an Endace card or a CACE AirPcap adapter, don't assume the time stamps have high accuracy.