Francis J. Hitchens wrote:
Guy,
I saw that you responded to a posting regarding the need of or an
updated Network Associates file format decoder.
Guy Harris said:
We'd update the decoder if we knew what the changes were.
I've finally spent some time determining in detail why times display
differently with Ethereal than with a sniffer for certain sniffer captures
I've taken.
Based upon my investigation, I've made some changes to netxray.c to to
properly display the time for certain cases (based upon the sample of
sniffer capture files I've access to).
I'll submit the patches on 11/21/04.
Bill Meier
Would you happen to know what became of the fix? I've downloaded the
latest ethereal 0.10.10 but am still seeing the out of whack times
from Sniffer traces.
There have been a variety of updates. The main updates came from James
Fields and Kevin Johnson; they found, in the file header, a value that,
at least for some captures, are the exact units of the time stamps, so,
for newer captures, the time stamps should be correct. I don't know
whether any of the problems Bill Meier saw were fixed by James and
Kevin's changes; they might have been.
However, there are some captures that still have problems. It might
have been that, before we knew that for some captures, we "fixed"
problems with some capture files by changing the table of time stamp
units. If the captures that we "fixed" the NetXRay file reader (which
is also used for the Windows Sniffer software) to handle had the time
stamp units in the header - meaning that the "fix" was the wrong change,
and James and Kevin's change was the right change - perhaps the "fix"
broke the handling of older captures that didn't have the time stamp
units in the headeer.