Posted by:nitishd
Subject:Extracting absolute time from kismet dumps
Date:17:52:14 09/04/2009

> > I am working on a 802.11 project. For this I sniffed the wireless data using kismet & now I've written a C code to extract the required features of each packet from the dump. I've extracted various features like source mac, dest mac, sequence number etc.
> > I also need the absolute time (epoch time) when the particular frame was captured but I am not able to figure it out.
> > Doesnt kismet add any time information, while saving the dumps, which can be used for extracting absolute time?
> Pcap stores the time in each packet header in the pcap structs. I forget if it's an offset to previous captured packet, a delta from the beginning of the file, or an absolute time, but the data is there. (Open a pcap in wireshark and you can see the time data).
> It's in the pcap packet header, not the data portion.
> -m

yep wireshark is showing both absolute as well as delta from the beginning of the file but that time information is not stored in the header portion 'cause clicking on absolute time in wireshark doesnt highlight the corresponding byte in the byte stream of each frame.
And using pcap_offline() I get access to hex byte stream of each frame, from which I interpret various info.
And could you please shed some more light about which particular pcap struct stores time information & how to access that struct ?

