I don't think the actual packets have timestamps -- could be wrong -- but I know the libpcap files do contain them. I think your best bet (as mentioned above) is to use the
Net::Pcap library to read the source file and get the timestamps from there. It seems it does have a
pcap_open_offline method, which I don't know how to use, that probably reads the file in.
How to get the actual timestamps from the packets:
sub process_packet {
my($user_data, $header, $packet) = @_;
print "time: $header->{tv_sec}\n";
}
# The header information is a reference to a hash containing the fol
+lowing fields.
#
# * "len" - the total length of the packet.
# * "caplen" - the actual captured length of the packet
# * "tv_sec" - seconds value of the packet timestamp.
# * "tv_usec" - microseconds value of the packet timestamp.