Ethereal-dev: Re: [Ethereal-dev] Some strange behavior(wiretap on netxray)

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxx>
Date: Tue, 11 Dec 2001 13:50:48 -0800 (PST)
> I have two files that created by Sniff Pro and NetXray.
> In all two files the 'timeunit' field is set to 2.
> Sniff Pro File have 002.002 and NetXRay - 001.100 versions.
> In all captures we have problem with reading it in Ethereal.
> 
> The Sniff Pro capture have exactly triple value of tick per
> second(1193180*3=3579540.0)
> The NetXRay have the 459.761*1193180 value of tps.

I.e., the time unit is 548577629.980 ticks per second, or something on
the order of 2 nanoseconds?

> And yet another interesting thing that we have two machines with installed
> Sniff Pro and NetXRay on it.
> The configuration of Sniff Pro box is Dual Pentium II 500, Intel PRO/100+
> Management NIC media - 10BaseT.
> The NetXRay box have the 100BaseT media.
> Captures can be read on those machines with the right times.
> On the Single Pentium II 350, 3Com 59x NIC we have exactly the same effect
> as described above.

So you have version 002.002 files from two machines, and version 001.100
files from two machines?

What are all the fields that differ in the file headers between the two
002.002 files and between the two 001.100 files?

> Does it mean that tps depends on computer configuration ?
> Does it mean that tps changes between file versions ?
> What exactly mean the timeunit value ?
> 
> Any opinions ?

The only people likely to have *authoritative* opinions probably either
work, or worked, for Cinco Networks or Network Associates.  We're stuck
with reverse-engineering.

The tps value does appear to change between file versions.

I don't know what controls how the various programs that use NetXRay
format time-stamp packets.  Some of it may depend on which version of
which program it is, which may be reflected in the file version number. 
Some of it may depend on what hardware the machine has, or on what
operating system the machine is running (Windows OT or Windows NT, and
which version of those - 95, 98, or Me for Windows OT, 3.x, 4.0,
5.0^H^H^HW2K, or 5.1^H^H^HWXP for Windows NT).

In some captures, there appears to be a value in the file header that
represents the units of the time stamps.  I don't know whether that's
the case for all versions of the file format.  I also don't know whether
the interpretation of that value differs depending on other information
in the file header.