Support Questions

Find answers, ask questions, and share your expertise

Making sense of timestamp in pcap_query, timestamp in sequence filename, and packet timestamp



I'm trying to understand these three different timestamp; they don't seem to be in synced

1. pycapa captures network traffic and use the timestamp as the key; the timestamp is in microsecond from epoch

2. the timestamp in the sequence filename is in nanosecond from epoch

I try to convert these nanosecond from epoch to human readable time and they are very off. For example taking the time from below...This packet was captured on 2018-02-06 but the timestamp in the filename is way in the future. Is my formula not correct? nanosecond to second is 1000000000. Looking at the code, it looks like PcapCLI scan for the timestamp in the filename when we run our query. Then it runs query against the matching files.

[root@hdp-slave-3 0.4.1]# date -d @$((5309030255444767488/1000000000))
Thu Mar 27 22:37:35 EDT 2138

3. the user input of query timestamp (pcap_query -st yyyyMMdd). The timestamp we use to query must match the timestamp in the filename and then in the packets stored in sequenceFile format.

-rw-r--r-- 3 storm hdfs575 2018-02-06 13:34 /apps/metron/pcap/pcap_pcap_5309030255444767488_0_pcap-7-1517848461

Please shed some light, I'm confused and seem to make things more complicated than it should be.

thank you!



I think I found the answer to my questions. I'm posting it here in case it help someone or someone can correct my understanding...

1. pycapa by default uses UTC. However, when I looked into the content of the packet and it's using my current system time zone which is EST.

2. the timestamp in the filename is nanosecond since epoch as long as my configuration for ts.granularity is set as MICROSECONDS.

3. timestamp and file last modified timestamp are in sync as long as my ts.granularity is set as MIRCOSECONDS

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.