Gianluca Varenni schrieb: > I think the description of timestamp formats is quite bad in the specs. > The timestamps are represented as a 64bit quantity split into high and low > 32 bits, that represent the number of microseconds/nanoseconds/??? from > 1/1/1970 (that's the meaning of in "in standard unix format i.e. since > 1/1/1970"). > The reason behind using a single 64bit quantity instead of > seconds/subseconds is twofold: > 1. if we use seconds and subseconds, 32bits don't allow to go under the > nanosecond. > 2. several hardware-based capture cards represent timestamps as > nanoseconds/microseconds as a single 64bit quantity i.e. they don't split > them into seconds and subseconds. > > BTW, there was a discussion on the timestamp format on the ntar-workers > mailing list, here > > http://www.winpcap.org/pipermail/ntar-workers/2006-March/000122.html > Yes, the timestamp spec of the EPB (and PB) is *very misleading* here and definitely needs a clarification! The structure - and the descriptive text - looks far too much "libpcap like" to get an idea that it's actually different.
Reading the text a few times now, I think it's even not very consistent in itself ... Regards, ULFL _______________________________________________ Wireshark-dev mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-dev
