Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] N in 1 packets

From: Akos Vandra <axos88@xxxxxxxxx>
Date: Sun, 11 Dec 2011 23:21:51 +0100
There is a timestamp, only it is not handled now :). The timestamps
are "sub-messages" themselves, that precede the information-messages.
Something like this:

2000 us have passed.
Interrupt 3 entered
1500 us have passed
Interrupt 3 exited
Interrupt handling done
1000000 us have passed  <--- this is to avoid overflow in the hardware timer
1000000 us have passed
1000000 us have passed
Variable at watched by comparator 3 has been written to new value 0xDEADBEEF

So it is not a true timestamp, sometimes there are multiple packets
with the same timestamp, but still, it's not a problem.

I thought I will decode these timestamp messages, and use them to
construct the pcap_pkthdr structure's ts field, as the arrival time
cannot be manipulated later from within a dissector

What do you mean I have to provide a description of the messages? They
just contain the message source ID (there are multiple trace sources
within the trace peripheral for hardware messages, software
(printf-like) messages, and instruction tracing), and the message raw
data, nothing special.

Regards,
  Ákos Vandra



On 11 December 2011 23:07, Guy Harris <guy@xxxxxxxxxxxx> wrote:
>
> On Dec 11, 2011, at 4:51 AM, Akos Vandra wrote:
>
>> The missing wireshark error is:
>>
>> Invalid capture filter "" for interface trace1!
>> That string isn't a valid capture filter (unknown data link type 292).
>> See the User's guide for a description of the capture filter syntax.
>
> When a new link-layer header type for capturing is added, libpcap's filter-compiling code needs to have support for it added, even if it's trivial support.  See the "Currently, only raw "link[N:M]" filtering is supported." instances in gencode.c
>
>> And here you can find my not-so-pretty code, it has to be cleaned up a
>> lot, right now I am in the phase "hmm... let's see if that will
>> work..." :)
>> http://pastebin.com/fVnrEfpr
>
> From that, it looks as if there are no time stamps in the data stream itself; the code is getting time stamps from gettimeofday().
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe