drill-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Giovanni Conte <gio....@gmail.com>
Subject Query Timestamps in microseconds from pcap
Date Wed, 20 Feb 2019 10:39:40 GMT
Hi,
I would like to do the timestamps difference of packet captures (pcap). The
problem is that, when i do:
drill:zk=local> SELECT `timestamp` FROM dfs.root.`/capture_file.pcap`;

i get (showing the first 2 rows)
| 2019-01-30 05:00:00.207  |
| 2019-01-30 05:00:00.207  |
We can see milliseconds accuracy.

On wireshark, the timestamps are:
2019-01-30 05:00:00.207*239*
2019-01-30 05:00:00.207*243*
and so microseconds accuracy.

I tried so to change the timestamp format from "default" to "yyyy-MM-dd
HH:mm:ss.SSSSSS"  with the commad:
jdbc:drill:zk=local> !set timestampformat "yyyy-MM-dd HH:mm:ss.SSSSSS"

Now, when I query I get:
| 2019-01-23 05:00:00.000207  |
| 2019-01-23 05:00:00.000207  |
and instead of taking the *second triple*, i.e. the microseconds *239* and
*243*, it is shifting the milliseconds at the microsecons position.
Thus, the simple question is: how can I get microsecond (or more) accurancy
within a pcap query?
Thank you very much,

Giovanni

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message