Gianluca Varenni schrieb:
I think the description of timestamp formats is quite bad in the specs.
The timestamps are represented as a 64bit quantity split into high and low
32 bits, that represent the number of microseconds/nanoseconds/??? from
1/1/1970 (that's the meaning of in "in standard unix format i.e. since
1/1/1970").
The reason behind using a single 64bit quantity instead of
seconds/subseconds is twofold:
1. if we use seconds and subseconds, 32bits don't allow to go under the
nanosecond.
2. several hardware-based capture cards represent timestamps as
nanoseconds/microseconds as a single 64bit quantity i.e. they don't split
them into seconds and subseconds.
BTW, there was a discussion on the timestamp format on the ntar-workers
mailing list, here
http://www.winpcap.org/pipermail/ntar-workers/2006-March/000122.html
Yes, the timestamp spec of the EPB (and PB) is *very misleading* here
and definitely needs a clarification! The structure - and the
descriptive text - looks far too much "libpcap like" to get an idea that
it's actually different.
Reading the text a few times now, I think it's even not very consistent
in itself ...
Regards, ULFL