Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] pcap-ng support

From: Ulf Lamping <ulf.lamping@xxxxxx>
Date: Mon, 21 Jan 2008 22:00:40 +0100
Gianluca Varenni schrieb:
I think the description of timestamp formats is quite bad in the specs.
The timestamps are represented as a 64bit quantity split into high and low 32 bits, that represent the number of microseconds/nanoseconds/??? from 1/1/1970 (that's the meaning of in "in standard unix format i.e. since 1/1/1970"). The reason behind using a single 64bit quantity instead of seconds/subseconds is twofold: 1. if we use seconds and subseconds, 32bits don't allow to go under the nanosecond. 2. several hardware-based capture cards represent timestamps as nanoseconds/microseconds as a single 64bit quantity i.e. they don't split them into seconds and subseconds.

BTW, there was a discussion on the timestamp format on the ntar-workers mailing list, here

http://www.winpcap.org/pipermail/ntar-workers/2006-March/000122.html
Yes, the timestamp spec of the EPB (and PB) is *very misleading* here and definitely needs a clarification! The structure - and the descriptive text - looks far too much "libpcap like" to get an idea that it's actually different.

Reading the text a few times now, I think it's even not very consistent in itself ...

Regards, ULFL