2
votes

I am trying to create a Python script where I parse a pcap file and measure traffic burstiness down to the sub-millisecond level. The problem is that it looks like the timestamps provided by dpkt doesn't appear to provide fine enough resolution. The following script #!/usr/bin/python import dpkt, sys

f=file(sys.argv[1],"rb")
pcap=dpkt.pcap.Reader(f)


for ts, buf in pcap:
  eth=dpkt.ethernet.Ethernet(buf)
  size = len(eth)
  print "packet size %s" % size
  print "timestamp %s" % ts

Yields the following results

packet size 199 timestamp 1397589057.04 packet size 119 timestamp 1397589057.04 packet size 66 timestamp 1397589057.04 packet size 247 timestamp 1397589057.04

The actual timestamps for those packets should have a .043549 format which goes down to the microsecond. Does anyone know how to get the full timestamp?

2

2 Answers

3
votes

I am assuming that you are doing something like this:

for ts, buf in pcap:
    print ts

And then you observe the timestamp to be 1408173480.93 instead of 1408173480.936543. This is because the print function in python limits float to two decimal places.

Example:

>>> x = 1258494066.119061
>>> x
1258494066.119061
>>> print x
1258494066.12

If you really need to print the full value, use format:

>>> "{0:.6f}".format(x)
'1258494066.119061'
2
votes

Don't know if this will help you exactly, but I noticed the same thing. For my requirements I would prefer the integer values rather than the floating point conversions. Of course in order to do the following you need the source:

The origins of it are from line 151 in pcap.py in the dpkt (version 1.8) directory:

yield (hdr.tv_sec + (hdr.tv_usec / 1000000.0), buf)

This can be changed to the following to ensure that the original integer values for seconds and microseconds are returned:

yield ((hdr.tv_sec, hdr.tv_usec), buf)

The tuple is formatted to my liking and can be modified.