2

I have a question about the time stamp.

I have pcap file and part of the program is to print the time stamp of packet in C/C++.

I'm using

pcap_next_ex(app->pcap, &header, &data)

for get the packet from the pcap and

printf("%ld \n", header->ts.tv_sec);

printf("%ld \n", header->ts.tv_usec);

for printing the timstamp.

the problem is that I read the first packet and the output of the printf is-

the first printf- 1303140747

the second printf 467638

and the real timestamp is 0.00000 (the first packet)

Am I doing something wrong here?

thanks!

Community
  • 1
  • 1
user3378689
  • 209
  • 1
  • 4
  • 12
  • 1303140747 sounds reasonable. Why do you think it should be 0 ? – nos Apr 10 '14 at 13:29
  • maybe Im missing something. what is the form of that timestamp? is it year,month,day,hour,second? I need the time from the "time" column in the pcap file... – user3378689 Apr 10 '14 at 13:39
  • 2
    It's seconds since the unix epoch. 1303140747 is 2011:04:18 15:32:27 and 467638 micro seconds. You can pass 1303140747 to e.g. localtime(). If you're looking at the file in wireshark, wireshark probably default to showing relative timestamps, i.e. the first packet is the reference time 0. There's some options to change it to show absolute timestamps. – nos Apr 10 '14 at 13:45
  • oh I understand it now :) is there a way to retrieve the time from the "time" column? – user3378689 Apr 10 '14 at 13:51
  • 1
    I don't know what your Time column looks like. For absolute timestamps, pass the seconds it to localtime() which gives you a `struct tm` which you pass to strftime() to format it however you want. For relative timestamps, you need to calculate them yourself relative to the 1. packet in the file. – nos Apr 10 '14 at 13:55
  • o.k thanks! I just read about the localtime() function. thanks! – user3378689 Apr 10 '14 at 14:10

0 Answers0