Wireshark-users: Re: [Wireshark-users] Timestamp Display - nsec Resolution

From: Ulf Lamping <ulf.lamping@xxxxxx>
Date: Thu, 31 Jul 2008 22:48:23 +0200
Barry Constantine schrieb:
Principal Member of Technical Staff

JDSU Communication Test (formerly Acterna)

Emerging Markets and Technology Research One Milestone Center Court Germantown, MD 20876 (W) 240-404-2227
(C) 240-499-4750


-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of
wireshark-users-request@xxxxxxxxxxxxx
Sent: Thursday, July 31, 2008 2:30 PM
To: wireshark-users@xxxxxxxxxxxxx
Subject: Wireshark-users Digest, Vol 26, Issue 47

Send Wireshark-users mailing list submissions to
	wireshark-users@xxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
	https://wireshark.org/mailman/listinfo/wireshark-users
or, via email, send a message with subject or body 'help' to
	wireshark-users-request@xxxxxxxxxxxxx

You can reach the person managing the list at
	wireshark-users-owner@xxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Wireshark-users digest..."
Hello Ulf,

Can you give me some more details concerning the file format?

Thanks,
Barry

The file format is basically the same as common libpcap format, see http://wiki.wireshark.org/Development/LibpcapFileFormat

There are two changes:

- the value in the field magic_number changed to 0xa1b23c4d (to detect the changed timestamp) - or 0x4d3cb2a1 if you have a byte swapped file - the field ts_usec changed it's meaning to contain nsec fraction of a second (instead of the millisecond based value in standard libpcap)

Hope this helps,

Regards, ULFL

P.S: If you reply to a digest mail, please remove any unrelated content first! It's hard to find the related content - which won't motivate possible replies ;-)