Wireshark-dev: Re: [Wireshark-dev] nsec Timestamp Resolution

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 1 Aug 2008 10:44:41 -0700

On Jul 31, 2008, at 10:34 AM, Barry Constantine wrote:

My company builds a analyzer that provides nsec timestamps and when I convert our format to pcap (with Wild Packets ProConvert), I suspect that the conversion is dropping the nsec time since when I open in Wireshark, I only see usec.

I am trying to determine what fields in pcap format need to be set so that Wireshark can display nsec.

The magic number:

	http://www.wireshark.org/lists/wireshark-users/200807/msg00220.html

Note that you don't get to control, by what you put in *your* file format, what magic number ProConvert uses.

Note also that you *could* contribute to Wireshark code that reads *your* format, in which case Wireshark could read your capture files directly, complete with nanosecond format - and people who can't run ProConvert (yes, there are people who can't run ProConvert, because they don't run Windows; Wireshark is a cross-platform application, not a Windows application) could still read the file.