Re: DLT_ request

[Guy Harris <guy () alum mit edu>]

On Dec 13, 2016, at 8:38 AM, Scott Deandrea <sdeandrea () apple com> wrote:

> The timestamps are in Mach Absolute Time Units (https://developer.apple.com/library/content/qa/qa1398/_index.html).

That says

        This unit is CPU dependent, so you can't just multiply it by a constant to get a real world value. Rather, you 
should call a system-provided conversion function to convert it to a real world value.

Unfortunately, that would require that the clock rate be provided somewhere in the capture file.

However, a quick look at _absolutetime_to_microtime() for x86 (which is what's used by absolutetime_to_microtime(), 
which is what's used by clock_get_calendar_microtime(), which is what's used by microtime(), which is what's used by 
the BPF code to time stamp packets) indicates that the units are "nanoseconds" (and that it's "nanoseconds since the 
Epoch", for appropriate values of "since the Epoch" - don't get me started on leap seconds and POSIX...).

I don't know whether that's the case on ARM (the Apple TV has an USB port, after all...), but, if it is, and if Apple's 
going to continue to maintain that as the case, then we can just say it's in nanoseconds.

Otherwise, you might want to convert it to nanoseconds rather than using a CPU-dependent unit.
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers