On Jun 9, 2008, at 9:39 AM, Nicholas Marra wrote:
I’m adding a feature to a dissector I created that compares the
System PCAP timestamp with the Dissected Message Timestamp. The goal
is to compare the two timestamps and see if they are off by a
certain amount of time. I located the PCAP Timestamp within the
dissect_frame function in the packet-frame.c file. This is located
in the wireshark/epan/dissectors directory. The Message Timestamp is
located in wireshark/plugins/dar. I included the appropriate header
files in both the packet-frame.c and my plugin c file. I set a
variable in both c files to store the value of the times. However, I
have been unable to get the variables to be set at the right time. I
need the PCAP Timestamp value to be passed to my plugin c file for
use in my comparison. Does anyone have any suggestions on how I may
do this?
As Jaap Keuter noted, you get the pcap time stamp from pinfo->fd-
>abs_ts, just as the dissect_frame() function does. If your plugin
is a dissector, it gets passed a pinfo pointer, which it can use to
get the pcap time stamp.
Note, however, that the pcap timestamp for a packet captured from a
regular network interface (as opposed to a special capture-only
interface that supplies its own time stamps, such as a device from
Endace or CACE Technologies) is the system time at the point when the
packet was time-stamped; that's the point at which the part of the
networking stack that time-stamps packets sees the packet, which could
be a significant time *after* the packet was received by the host for
incoming packets, and is some time *before* the packet is transmitted
for outgoing packets.
I.e., unless you're capturing on a device such as an Endace card or a
CACE AirPcap adapter, don't assume the time stamps have high accuracy.