[Feature] Getting nano-second resolution pcap or pcap-ng generation via tcprewrite

[deepakrana47]

I am using "tcprewrite" for changing the IP-addresses of the a pcap file by executing the following command:

tcprewrite --srcipmap=192.168.1.99:10.2.1.45 --dstipmap=192.168.1.100:10.10.10.81 --infile=input.pcap --outfile=output.pcap

Then, when i go through the output.pcap I found out that the timestamps of packets in output.pcap file having a value up to 6 decimal point while in input.pcap it was 9 decimal points.

e.g.: if in input.pcap timestamp is: 1555486009.955677809 Then in output.pcap timestamp is: 1555486009.955677000

Can you please help me if there is some way i can get 9 decimal points timestamps (as i have gone through the tcprewrite manual but no success)

Thank you

[fklassen]

tcprewrite produces PCAP files which have microsecond resolution. Your input file must be a PCAP-NG file, which supports nanosecond resolution.

PCAP-NG files have a newer format which also allows programs like Wireshark to open them without loading the entire trace into memory.

[deepakrana47]

So, i tried with pcap-ng file also. But still getting the output pcap file with microsecond resolution.

I have "input.pcap" (pcap file with nanosecond resolution)

I followed the following steps:

1. $ editcap input.pcap tmp.pcap //this convert pcap file to pcapng with nanosecond resolution
2. $ tcprewrite --srcipmap=192.168.1.99:10.9.1.101 --infile=tmp.pcap --outfile=tmp1.pcap
3. $ capinfos tmp1.pcap

so the tmp1.pcap is still a pcap file with microsecond resolution.

[fklassen]

Removing from 4.4. Will leave around for consideration for future releases.