On 07/09/11 21:56, Guy Harris wrote: > On Jul 9, 2011, at 4:41 PM, Alokat wrote: > >> I'm wondering what is in the pcap_data (pcap file format) and what is not? >> Especially the timestamp ... is it just in the packet_header or in the >> packet_data too? > A pcap file starts with a header. Following the header are zero or more > packet records. A packet record has a header, which includes the packet time > stamp, followed by packet data, which is just the raw data as supplied to > libpcap/WinPcap by whatever mechanism it uses. That mechanism supplies the > packet time stamp for inclusion in the header, so there is no reason to > expect that it will also be in the packet data, especially given that no link > layers would include that time stamp (it's not in an Ethernet header, for > example), so the time stamp is just in the packet header, not the packet data. > > The time stamp is an approximation of the time when the packet was received > by the machine that captured it.- > This is the tcpdump-workers list. > Visit https://cod.sandelman.ca/ to unsubscribe. Okay,
Thanks for your answer ... Regards, alokat - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
