You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@drill.apache.org by Giovanni Conte <gi...@gmail.com> on 2019/02/20 10:39:40 UTC

Query Timestamps in microseconds from pcap

Hi,
I would like to do the timestamps difference of packet captures (pcap). The
problem is that, when i do:
drill:zk=local> SELECT `timestamp` FROM dfs.root.`/capture_file.pcap`;

i get (showing the first 2 rows)
| 2019-01-30 05:00:00.207  |
| 2019-01-30 05:00:00.207  |
We can see milliseconds accuracy.

On wireshark, the timestamps are:
2019-01-30 05:00:00.207*239*
2019-01-30 05:00:00.207*243*
and so microseconds accuracy.

I tried so to change the timestamp format from "default" to "yyyy-MM-dd
HH:mm:ss.SSSSSS"  with the commad:
jdbc:drill:zk=local> !set timestampformat "yyyy-MM-dd HH:mm:ss.SSSSSS"

Now, when I query I get:
| 2019-01-23 05:00:00.000207  |
| 2019-01-23 05:00:00.000207  |
and instead of taking the *second triple*, i.e. the microseconds *239* and
*243*, it is shifting the milliseconds at the microsecons position.
Thus, the simple question is: how can I get microsecond (or more) accurancy
within a pcap query?
Thank you very much,

Giovanni

Re: Query Timestamps in microseconds from pcap

Posted by Angelo Mantellini <am...@gmail.com>.

Interesting question,
I have the same problem,
I hope you can find a solution.

Angelo

On 20/02/2019, 11:39, "Giovanni Conte" <gi...@gmail.com> wrote:

    Hi,
    I would like to do the timestamps difference of packet captures (pcap). The
    problem is that, when i do:
    drill:zk=local> SELECT `timestamp` FROM dfs.root.`/capture_file.pcap`;
    
    i get (showing the first 2 rows)
    | 2019-01-30 05:00:00.207  |
    | 2019-01-30 05:00:00.207  |
    We can see milliseconds accuracy.
    
    On wireshark, the timestamps are:
    2019-01-30 05:00:00.207*239*
    2019-01-30 05:00:00.207*243*
    and so microseconds accuracy.
    
    I tried so to change the timestamp format from "default" to "yyyy-MM-dd
    HH:mm:ss.SSSSSS"  with the commad:
    jdbc:drill:zk=local> !set timestampformat "yyyy-MM-dd HH:mm:ss.SSSSSS"
    
    Now, when I query I get:
    | 2019-01-23 05:00:00.000207  |
    | 2019-01-23 05:00:00.000207  |
    and instead of taking the *second triple*, i.e. the microseconds *239* and
    *243*, it is shifting the milliseconds at the microsecons position.
    Thus, the simple question is: how can I get microsecond (or more) accurancy
    within a pcap query?
    Thank you very much,
    
    Giovanni