ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] PCAP-NG Timestamp Units

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 16 Jun 2016 22:41:28 -0700
On Jun 16, 2016, at 9:47 PM, Paul Offord <Paul.Offord@xxxxxxxxxxxx> wrote:
 
> 
> The document PCAP Next Generation (pcapng) Capture File Format describes the timestamp value like this:
>  
> The timestamp is a single 64-bit unsigned integer representing the number of units since 1/1/1970 00:00:00 UTC.
>  
> The document doesn’t define “units”.  Is a unit a microsecond?

What the document says in the "Interface Definition Block" section:

	http://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?url=https://raw.githubusercontent.com/pcapng/pcapng/master/draft-tuexen-opsawg-pcapng.xml&modeAsFormat=html/ascii&type=ascii#rfc.section.4.2

is

	if_tsresol:

	The if_tsresol option identifies the resolution of timestamps. If the Most Significant Bit is equal to zero, the remaining bits indicates the resolution of the timestamp as a negative power of 10 (e.g. 6 means microsecond resolution, timestamps are the number of microseconds since 1/1/1970). If the Most Significant Bit is equal to one, the remaining bits indicates the resolution as as negative power of 2 (e.g. 10 means 1/1024 of second). If this option is not present, a resolution of 10^-6 is assumed (i.e. timestamps have the same resolution of the standard 'libpcap' timestamps).

	Example: '6'.

and in the "Enhanced Packet Block" section:

	http://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?url=https://raw.githubusercontent.com/pcapng/pcapng/master/draft-tuexen-opsawg-pcapng.xml&modeAsFormat=html/ascii&type=ascii#rfc.section.4.3

is:

	The Enhanced Packet Block has the following fields: 

		...

	* Timestamp (High) and Timestamp (Low): high and low 32-bits of a 64-bit quantity representing the timestamp. The timestamp is a single 64-bit unsigned integer representing the number of units since 1/1/1970 00:00:00 UTC. The way to interpret this field is specified by the 'if_tsresol' option (see Figure 10) of the Interface Description block referenced by this packet. Please note that differently from the libpcap file format, timestamps are not saved as two 32-bit values accounting for the seconds and microseconds since 1/1/1970. They are saved as a single 64-bit quantity saved as two 32-bit words.

So a "unit", for a packet that arrived on a particular interface, is whatever the time stamp resolution is on that interface.  The *default* meaning of a "unit" is 1 microsecond, but it can be set to other powers of 10 or 2, e.g. 1 nanosecond.

It should probably make it clearer what a "unit" is in the EPB section.  I'll look at improving that.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube