0

How do I capture packets with nanosecond resolution using libpcap v1.6.1? Based on the changelog they added support for the nanosecond resolution in v1.5.0. When I execute tcpdump and view the cap files, it is still only in microseconds. I tried the previous method of changing

pcap_open_offline_with_tstamp_precision(
    fname, PCAP_TSTAMP_PRECISION_MICRO, errbuf)

to

pcap_open_offline_with_tstamp_precision(
    fname, PCAP_TSTAMP_PRECISION_NANO, errbuf)

recompiled, and re-installed it but still doesn't work. Now I'm wondering if this has to do with my Linux version (RedHat Enterprise 6.2). If someone could give me any other way or a step by step procedure, it would be very much appreciated.

Richard Hansen
  • 51,690
  • 20
  • 90
  • 97
mayor
  • 1
  • 2
  • By the way my tcpdump version is 4.1-PRE-CVS_2009_12_11 – mayor Aug 26 '14 at 09:17
  • It is unclear what you are asking. Have you written a C program that uses libpcap to capture packets? Or are you using tcpdump to capture packets? How are you viewing the packet capture files? – Richard Hansen Feb 02 '15 at 21:57

1 Answers1

2

How do I capture packets with nanosecond resolution using libpcap v1.6.1?

See the answers to the other question about this.

When I execute tcpdump and view the cap files, it is still only in microseconds.

Tcpdump, by default, requests that libpcap give it microsecond-resolution time stamps; newer versions of tcpdump (4.6 and later) support a --time-stamp-precision flag, which can be used to make it request nanosecond-resolution time stamps from libpcap. As there's currently no API to ask what the file's time stamp precision is, it will, when run with that flag, show 9 figures of time stamp, even if the file only has microsecond precision (so that the last 3 digits in the time stamp are always zero).

I tried the previous method of changing ...

What program did you change? That change will not affect live captures, and tcpdump, at least, doesn't make calls like that (older versions don't use pcap_open_offline_with_tstamp_precision() at all, because they were released before pcap_open_offline_with_tstamp_precision() existed; newer versions pass pcap_open_offline_with_tstamp_precision() a variable, which defaults to PCAP_TSTAMP_PRECISION_MICRO but which can be set to PCAP_TSTAMP_PRECISION_NANO by specifying the flag --time-stamp-precision nano.

Community
  • 1
  • 1