extras: timestamp for journal entries

eqvinox · eqvinox · commit 3c3584324f44 · 2023-07-23T16:56:59.000-07:00
... to allow nanosecond resolution.
diff --git a/draft-richardson-opsawg-pcapng-extras.md b/draft-richardson-opsawg-pcapng-extras.md
@@ -176,10 +176,47 @@ The systemd Journal Export Block has the following fields:
   can be present.
 
 
-The options defined in {{I-D.tuexen-opsawg-pcapng}}, section "Options"
-(opt_endofopt, opt_comment, opt_custom, ...) are valid within this block.
-There are currently no additional options definied for Journal Export
-Blocks.
+Aside from the options defined in {{I-D.tuexen-opsawg-pcapng}},
+section "Options" (opt_endofopt, opt_comment, opt_custom, ...),
+the following options are valid within this block:
+
+| Name | Code | Length | Multiple allowed? |
+| jeb_timestamp | 2 | 12 | no |
+{: #options_jeb title='Journal Export Block Options'}
+
+
+
+~~~~
+                        1                   2                   3
+    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ 0 |                    Option Type = 0x00000002                   |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ 4 |                    Timestamp Seconds (High)                   |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ 8 |                    Timestamp Seconds (Low)                    |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+12 |                     Timestamp Nanoseconds                     |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+~~~~
+{: #format_jeb_timestamp title='Journal Export Block Timestamp Format' artwork-align="center"}
+
+{: indent='8'}
+jeb_timestamp:
+: This option allows providing an extended precision timestamp for the
+  captured journal entry.  While microsecond resolution is a good choice
+  for general system logging, debugging and tracing use cases covered by
+  pcap-ng benefit from more precise timestamps to correlate other events.
+
+  The timestamp is in units of that have elapsed since 1970-01-01 00:00:00 UTC.
+  Note that these are 3 32-bit fields using the endianness indicated by the
+  Section Header Block.  The third word is always nanoseconds and unaffected by
+  timestamp resolution options elsewhere.
+
+  Even if this option is used, the __REALTIME_TIMESTAMP field MUST still be
+  present in the journal entry.  The two items SHOULD have the same value
+  (ignoring the difference in precision).
+{: vspace='0'}
 
 
 ## Alternative Packet Blocks (experimental)
