On 02/14/2014 04:46 PM, Guy Harris wrote: > > What is the "nanosecond offset to pcap timestamp"? pcap-ng lets you specify > the resolution of time stamps, and even pcap lets you, at least with newer > versions of libpcap and Wireshark, specify nanosecond resolution with a > different magic number. >
The motivation was classic pcap. I was up on pcap-ng, but did not realize the pcap format has an updated variant with higher-precision timestamps. So I have removed the ns field from the pseudoheaders. > Translating them into the style in the pages under > http://www.tcpdump.org/linktypes would be helpful. It avoids worrying about > C/C-derived-language data structure names - or anything *else* about C and > languages derived from it - and also makes it easier to add the link-layer > header type to the Web site. > Okay, I will do this. Are the linktype description pages developed with any tools or templates, or just written as HTML (with the website's CSS applied)? I also have a question prompted by reviewing some sample pages like [1] and [2]. It seems some folks choose little-endian for multi-byte fields and others choose network/big-endian. It there a preference here? Is it acceptable to define these fields as having the same endianness as the pcap file header (or pcap-ng section header)? [1] http://www.tcpdump.org/linktypes/LINKTYPE_NG40.html [2] http://www.tcpdump.org/linktypes/LINKTYPE_NETANALYZER.html _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
