Wireshark · Ethereal-dev: Re: [Ethereal-dev] How to read/import and display capture files with 1ns timestamp resolution?

Ethereal-dev: Re: [Ethereal-dev] How to read/import and display capture files with 1ns timesta

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Ulf Lamping <ulf.lamping@xxxxxx>

Date: Wed, 24 Aug 2005 00:09:00 +0200


Guy Harris <guy@xxxxxxxxxxxx> schrieb am 23.08.05 19:32:17:
> 
> 
> At least some of what should be done here is to change Ethereal so that, 
> when capturing, it doesn't use the regular Wiretap code path to write 
> out the capture file.  That way, Ethereal wouldn't have to, for example, 
> convert seconds/microseconds time stamps from libpcap into 
> seconds/nanoseconds time stamps to hand to Wiretap, and Wiretap wouldn't 
> have to convert those back to seconds/microseconds time stamps.  (By 
> removing Wiretap from the critical path for capturing, it'd also let us 
> standardize the presentation of "radio information" for 802.11, so we'd 
> need only one WTAP_ENCAP value for that, and we wouldn't need separate 
> dissectors for different radio headers - and could conceivably have the 
> tap for 802.11 supply that information, letting us add, for example, a 
> tap-based stat such as
> 
> 	http://www.networkchemistry.com/products/packetyzer/images/ss_wlan_analysis.gif
> 
> .)
> 
> The code to write libpcap files when capturing would still be in 
> Wiretap, but it'd be a special code path.
> 
> I've started working on that, but got sidetracked into looking at the 
> stat code and cleaning it up when I did an AFP SRT tap.  I'll try to 
> finish the capture changes soon.
> 

First of all, I (currently) don't need to capture in nanosecond resolution, reading/importing would be enough. Capturing is done by a seperate hardware.

Having a look at the implementation, I've just added a new function (in my personal tree) to read the current timestamp resolution from wiretap (in the format provided by the NTAR spec, therefore the questions).

This way I'm now looking for a way to change the display to be corresponding to the file content. Simply changing the magic value or DLT_ (or alike) would be enough, no further changes to the file format required.

I've seen some more things need to think about, like calculation of time differences, capture file merging and alike.

But I need a prototype soon, so I'll try to implement the correct display first and then look at the remaining issues.

Regards, ULFL
_________________________________________________________________________
Mit der Gruppen-SMS von WEB.DE FreeMail können Sie eine SMS an alle 
Freunde gleichzeitig schicken: http://freemail.web.de/features/?mc=021179

Follow-Ups:
- Re: [Ethereal-dev] How to read/import and display capture files with 1ns timestamp resolution?
  - From: Guy Harris

Prev by Date: [Ethereal-dev] Patch to prevent loop in flow analysis graph
Next by Date: Re: RE: [Ethereal-dev] DNP3 dissector
Previous by thread: Re: [Ethereal-dev] How to read/import and display capture files with 1ns timestamp resolution?
Next by thread: Re: [Ethereal-dev] How to read/import and display capture files with 1ns timestamp resolution?
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$