drill-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Angelo Mantellini <amantell...@gmail.com>
Subject Re: Query Timestamps in microseconds from pcap
Date Wed, 20 Feb 2019 18:05:32 GMT
Interesting question,
I have the same problem,
I hope you can find a solution.

Angelo

´╗┐On 20/02/2019, 11:39, "Giovanni Conte" <gio.cnt@gmail.com> wrote:

    Hi,
    I would like to do the timestamps difference of packet captures (pcap). The
    problem is that, when i do:
    drill:zk=local> SELECT `timestamp` FROM dfs.root.`/capture_file.pcap`;
    
    i get (showing the first 2 rows)
    | 2019-01-30 05:00:00.207  |
    | 2019-01-30 05:00:00.207  |
    We can see milliseconds accuracy.
    
    On wireshark, the timestamps are:
    2019-01-30 05:00:00.207*239*
    2019-01-30 05:00:00.207*243*
    and so microseconds accuracy.
    
    I tried so to change the timestamp format from "default" to "yyyy-MM-dd
    HH:mm:ss.SSSSSS"  with the commad:
    jdbc:drill:zk=local> !set timestampformat "yyyy-MM-dd HH:mm:ss.SSSSSS"
    
    Now, when I query I get:
    | 2019-01-23 05:00:00.000207  |
    | 2019-01-23 05:00:00.000207  |
    and instead of taking the *second triple*, i.e. the microseconds *239* and
    *243*, it is shifting the milliseconds at the microsecons position.
    Thus, the simple question is: how can I get microsecond (or more) accurancy
    within a pcap query?
    Thank you very much,
    
    Giovanni
    



Mime
View raw message