On Mon, Jul 17, 2000 at 06:13:03PM -0700, Guy Harris wrote:
> There is, I suspect, something wrong with the time-stamp reading code
> for Sniffer-format files in both the version of Network Monitor I have
> here *and* in the Wiretap library used by Ethereal/Tethereal/editcap. I
> shall have to see what the time stamps are in the two ".trc" files, and
> see why Wiretap is concluding they are what they are.
Well, the code in Wiretap for sniffer files ignores the time value in
the file header; there's a comment saying
/* The time does not appear to act as an offset; only the date
commenting out the code that looks at them.
This *might* have been derived from some code in a modified version of
libpcap I have that reads Sniffer files; the comment there was
/*
* XXX - it appears that the time stamps are times *since the
* beginning of the day the capture was started*, not since
* the second the capture was started.
*/
That looks like the sort of comment I'd write, and the code in tcpview,
from which I derived the libpcap code, didn't bother to look at the time
and date values in the file header *at all*, it just used the per-packet
time stamps (which doesn't work at all), so I *presume* there was some
file where it *appeared* that the per-packet time stamps were relative
to the beginning of the day the capture was started.
Can you get your Sniffer back