From dce30c876ec6cad4363113451028c4146cc55470 Mon Sep 17 00:00:00 2001
From: David Lamparter <equinox@diac24.net>
Date: Thu, 1 Sep 2022 11:52:10 +0200
Subject: [PATCH] extras: timestamp for journal entries

... to allow nanosecond resolution.
---
 draft-richardson-opsawg-pcapng-extras.md | 43 ++++++++++++++++++++++--
 1 file changed, 40 insertions(+), 3 deletions(-)

diff --git a/draft-richardson-opsawg-pcapng-extras.md b/draft-richardson-opsawg-pcapng-extras.md
index 9543ffc..27d44af 100644
--- a/draft-richardson-opsawg-pcapng-extras.md
+++ b/draft-richardson-opsawg-pcapng-extras.md
@@ -178,9 +178,46 @@ TBD: fix cross-reference (section_opt)
   the rules defined in Xsection_optX) can be present.
 
 
-The options defined in Xsection_optX are valid within this block.
-There are currently no additional options definied for Journal Export
-Blocks.
+Aside from the options defined in Xsection_optX, the
+following options are valid within this block:
+
+| Name | Code | Length | Multiple allowed? |
+| jeb_timestamp | 2 | 12 | no |
+{: #options_jeb title='Journal Export Block Options'}
+
+
+
+~~~~
+                        1                   2                   3
+    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ 0 |                    Option Type = 0x00000002                   |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ 4 |                    Timestamp Seconds (High)                   |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ 8 |                    Timestamp Seconds (Low)                    |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+12 |                     Timestamp Nanoseconds                     |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+~~~~
+{: #format_jeb_timestamp title='Journal Export Block Timestamp Format' artwork-align="center"}
+
+{: indent='8'}
+jeb_timestamp:
+: This option allows providing an extended precision timestamp for the
+  captured journal entry.  While microsecond resolution is a good choice
+  for general system logging, debugging and tracing use cases covered by
+  pcap-ng benefit from more precise timestamps to correlate other events.
+
+  The timestamp is in units of that have elapsed since 1970-01-01 00:00:00 UTC.
+  Note that these are 3 32-bit fields using the endianness indicated by the
+  Section Header Block.  The third word is always nanoseconds and unaffected by
+  timestamp resolution options elsewhere.
+
+  Even if this option is used, the __REALTIME_TIMESTAMP field MUST still be
+  present in the journal entry.  The two items SHOULD have the same value
+  (ignoring the difference in precision).
+{: vspace='0'}
 
 
 ## Alternative Packet Blocks (experimental)