On Mon, Jul 17, 2000 at 08:37:46PM -0700, Guy Harris wrote:
> That may help me figure out whether the
> Sniffer-file code really does need to take into account the time in the
> file header.
I found half of an e-mail conversation between Gilbert and me (I didn't
save my messages, just his), from which I infer that, in at least some
cases, taking the time in the file header into account gives the *wrong*
answer:
Okay, I finally have everything set up; my new Linux laptop, my
token-ring network, and the kids are in bed. At least according
to NAI's Sniffer Pro, the time offsets of the packets are
calculated from 00:00:00 that day. When I set tm_hour, tm_min,
and tm_sec to 0, wiretap's date/time calculations equalled those
of Sniffer Pro's.
and, in a subsequent message:
I verified the absolute time on the packets via Sniffer, the DOS
version, and they show the same as Sniffer Pro.
so it's not as if Sniffer Pro (whose native file format is, as I
remember, a descendant of that of Cinco Networks' NetXRay, Network
Associates having bought Cinco) got it wrong.
This is, umm, deeply frustrating. Given that I've seen what I presume
are different versions of Network Monitor give different times for the
*same* file, as noted in my previous mail:
NetMon here and NetMon in your PNG agree on the time stamp for
"netmon.trc"; however, they differ by some non-integral number of
hours for "oae.trc" (00:54:17.000 here, 00:02:48.037 there) and
"3com.trc" (00:54:29.000 here, 00:02:16.371 there) - that's
differences between the time stamps for the *same file*, so
there's more than just summer time involved (that would make
them differ by one hour).
and given that neither Ethereal/Tethereal as they exist now, or with
changes to take the time value in the file header into account, appear
to generate the same time stamp as either version of Network Monitor do,
I'm inclined not to trust time stamps in Sniffer files as reported by
Network Monitor, and trust *only* time stamps reported by Sniffers for
those files.