Steve,
I think there is something weird going on. I'm using rev 24375
I captured a bunch of ethernet packets, when I ask to save the file in
pcap-ng format, the timestamps on the screen become all the same (1969-12-31
16:00:00.000000).
I checked with my other tool, but unfortunately it only reads captures with
nanosecond precision. So I checked with an hex editor, and the timestamp on
the packets (well, at least the first packet) is 0.
Let me know if you need any help.
Have a nice day
GV
----- Original Message -----
From: "Stephen Fisher" <stephentfisher@xxxxxxxxx>
To: "Developer support list for Wireshark" <wireshark-dev@xxxxxxxxxxxxx>
Sent: Saturday, February 16, 2008 12:10 AM
Subject: Re: [Wireshark-dev] pcap-ng support
On Thu, Jan 17, 2008 at 04:31:46PM -0800, Gianluca Varenni wrote:
FYI today I tried opening a pcap-ng file with wireshark rev 24118, and
it sort of worked.
What doesn't work:
- timestamps are wrong. There are two problems here:
1. the IDB option for the timestamp precision is not decoded, and I
was generating timestamps with nanosecond precision.
2. timestamps are not in the libpcap fashion (seconds and
microseconds, or seconds and nanoseconds). It's a single 64bit
quantity that is split into high and low 32bits.
This has been fixed in SVN revision 24349. I can now read icmp2.ntar
from the Wiki and get the sample timestamps that appear in the graphic.
Wireshark also writes the correct timestamps. Would you mind verifying
with your other tool that can read pcapng files that the Wireshark
timestamps are done correctly?
Thanks,
Steve
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev
