[File] pcap files with time stamps in seconds/nanoseconds [PATCH]

[Francois-Xavier Le Bail]

Hello,

Currently are recognized pcap ("tcpdump") files with packets time stamps in seconds/microseconds.

Attached is a patch to add pcap ("tcpdump") files with time stamps in seconds/nanoseconds.

Reference: https://www.tcpdump.org/manpages/pcap-savefile.5.html

Regards,
-- 
Francois-Xavier

-------------- next part --------------
commit ff6710719fd23c80c109b03cff088917a8893689
Author: Francois-Xavier Le Bail <devel.fx.lebail at orange.fr>
Date:   Thu Sep 6 17:18:48 2018 +0200

    pcap files with time stamps in seconds/nanoseconds
    
    Reference: https://www.tcpdump.org/manpages/pcap-savefile.5.html
    
    Add some comments.

diff --git a/magic/Magdir/sniffer b/magic/Magdir/sniffer
index 0d6c196f..e5afd14c 100644
--- a/magic/Magdir/sniffer
+++ b/magic/Magdir/sniffer
@@ -77,6 +77,7 @@
 
 #
 # "libpcap" capture files.
+# https://www.tcpdump.org/manpages/pcap-savefile.5.html
 # (We call them "tcpdump capture file(s)" for now, as "tcpdump" is
 # the main program that uses that format, but there are other programs
 # that use "libpcap", or that use the same capture file format.)
@@ -187,6 +188,7 @@
 >20	belong		248		(SCTP
 >16	belong		x		\b, capture length %d)
 
+# packets time stamps in seconds and microseconds.
 0	ubelong		0xa1b2c3d4	tcpdump capture file (big-endian)
 !:mime	application/vnd.tcpdump.pcap
 >0	use	pcap-be
@@ -194,6 +196,14 @@
 !:mime	application/vnd.tcpdump.pcap
 >0	use	\^pcap-be
 
+# packets time stamps in seconds and nanoseconds.
+0	ubelong		0xa1b23c4d	nanoseconds tcpdump capture file (big-endian)
+!:mime	application/vnd.tcpdump.pcap
+>0	use	pcap-be
+0	ulelong		0xa1b23c4d	nanoseconds tcpdump capture file (little-endian)
+!:mime	application/vnd.tcpdump.pcap
+>0	use	\^pcap-be
+
 #
 # "libpcap"-with-Alexey-Kuznetsov's-patches capture files.
 # (We call them "tcpdump capture file(s)" for now, as "tcpdump" is