Ethereal-dev: [Ethereal-dev] Re: some netxray traces off by time factor
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: "Bill Meier" <wmeier@xxxxxxxxxxx>
Date: Sun, 07 Aug 2005 22:34:23 -0500
Matt Jibson wrote: >> The working file: >> hdr.timeunit = 2 >> hdr.realtick = 0x001234de = 1193182 >> It's timeunit thus ends up as 1193182, since hdr.realtick != 0. >> >> >> The broken file: >> hdr.timeunit = 0 >> hdr.realtick = 0x369e99 = 3579545 >> It's timeunit is 3579545, since hdr.realtick != 0. >> This broken file is fixed by: timeunit /= 3.579545, which yields a >> timeunit of 1000000. This corresponds to TpS[0], or TpS[hdr.timeunit]. >> This is important around line 420 of wiretap/netxray.c. Guy Harris wrote > Are there any files with hdr.timeunit = 0 and a non-zero hdr.realtick where the time stamp tick > is the value from hdr.realtick, rather than 1 microsecond? (This question is asked of the > audience at large, including the guys who discovered hdr.realtick in the first place.) > > I.e., does hdr.timeunit mean the time stamp units are 1 microsecond regardless of what's in > hdr.realtick, with hdr.realtick used only for hdr.timeunit = 2 and *maybe* hdr.timeunit = 1? I've finally done a detailed analysis of the various capture files I have; (My apologies for not getting to this much earlier). For the capture files I have (and for several of the sniffer captures posted in the last some number of months on the ethereal-.... mailing lists) it would seem to me that 'real-tck' doesn't give the right answer much of the time. Please see the attached detailed analysis which hopefully will be of help. Bill Meier
Some cases for Sniffer capture time decode
------------------------------------------
[8/7/05]
Each of the lines in the table below is an extract from a sniffer capture;
(6 are from a set of captures I have and 3 are taken from posts on ethereal...).
1. ver, netw (network), captype, timeunit, realtick, hdr.timehi, hdr.timelo are taken from the header section
of each capture.
pkt.timehi, pkt.timelo are taken from the info for the first packet (frame)
2. "req'd tick" is the tick value which when used by Ethereal gives the correct times (i.e.: times matching those shown by sniffer)
(To verify, I've done a detailed comparison of the Ethereal times vs Sniffer times for (up to) the first 10
frames of each capture. One example is shown below).
(I've now a semi-automated process for doing the comparisons given a sniffer .cap file and a sniffer .prn file with packet details).
Comments
1. It appears that (at least for the files that I have) that "realtick" in most cases is not the correct value for 'tick"
(I wonder what's really going on with respect to 'realtick')
2. It appears that hdr.timehi, hdr.timelo must be ignored for both ethernet cap types 2 and 3 [GIGPOD and OTHERPOD];
(At least for timeunt = 0);
Is this also true for ethernet captype = 6 [GIGPOD2] ?
(These are the cases which tend to cause the negative fractionl seconds to display)
3. Obviously netxray can be coded to handle the following cases (and I've done so for my purposes);
My bet is that (as others have suggested) there's more to this.
Hopefully this information can be of use.
[[[ Note: The following is best seen using a fixed width font ]]]
file_name ver netw netw+1 captyp timeunit req'd_tick realtick hdr.timhi hdr.timlo pkt1.timehi pkt1.timelo
-------------- ---- ---- ------ ------ ------- ---------- -------- --------- --------- ----------- ------------
3Way-Handshake v2.2 0 0 0 0 1000000 1193182 0 0 3 2833488013
pingtest.host2 v2.2 0 0 0 0 1000000 3579545 0 0 0 99862327
v2x1_0_0_0_arp1 v2.1 0 0 0 0 1000000 1193000 0 0 0 10513190
f1 v2.2 0 0 0 0 1000000 1193182 0 0 0 1388474
f2 v2.2 0 0 0 2 1193182 1193182 838 3086185485 1028 1500901704 hdr.timxx OK
f3 v2.2 0 0 2 0 1000000000 1193182 0 0 121300 57728512 ? gig pod
f4 v2.2 0 0 2 2 31250000 1193182 2662 1650257505 0 14689 ? gig pod
f5 v2.2 0 0 3 0 1000000 1193182 0 0 0 138804363 ? non-gig pod
f6 v2.2 0 0 3 2 1250000 1193182 167 3360335544 24 3612438917 ? non-gig pod
Detail information for "3Way-Handshake" capture
===============================================
(Note: "netxray" time values are from a hacked version of netxray which used timeunit values as shown below after --> timenit).
3Way-Handshake
>> Header:
ver: 2.2
fhdr.network: 0
fhdr.network+1: 0
fhdr.capture_type: 0
fhdr.timeunit: 0
fhdr.start_time: 1108565617
fhdr.timehi, fhdr.timelo: 0, 0
fhdr.realtick: 1193182
--> timeunit: 1000000
--> start_time: 02/16/2005 09:53:37
--> start_time_offset: 0.000000 [0:00:00.000.000]
>> Frame(s):
1: timehi/timelo: 3,2833488013 ---> 4:21:58.389.901
sniffer prn: abs: 02/16/2005 02:15:35 rel: 0:00:00.000 delta: 0.000.000 arrive: 14:15:35.3899
netxray: : abs: 02/16/2005 14:15:35 rel: 0:00:00.000 delta: 0.000.000 arrive: 14:15:35.3899
2: timehi/timelo: 3,2833496407 ---> 4:21:58.398.295
sniffer prn: abs: 02/16/2005 02:15:35 rel: 0:00:00.008 delta: 0.008.394 arrive: 14:15:35.3983
netxray: : abs: 02/16/2005 14:15:35 rel: 0:00:00.008 delta: 0.008.394 arrive: 14:15:35.3983
3: timehi/timelo: 3,2833500583 ---> 4:21:58.402.470
sniffer prn: abs: 02/16/2005 02:15:35 rel: 0:00:00.012 delta: 0.004.176 arrive: 14:15:35.4025
netxray: : abs: 02/16/2005 14:15:35 rel: 0:00:00.012 delta: 0.004.176 arrive: 14:15:35.4025
- Follow-Ups:
- Re: [Ethereal-dev] Re: some netxray traces off by time factor
- From: Guy Harris
- Re: [Ethereal-dev] Re: some netxray traces off by time factor
- Prev by Date: [Ethereal-dev] Buildbot crash output
- Next by Date: [Ethereal-dev] Re: Patch for indefinite length for packet-ber.candvarious fixes to tcap dissector.
- Previous by thread: [Ethereal-dev] Re: Output feature request: XSLT processor (2nd try)
- Next by thread: Re: [Ethereal-dev] Re: some netxray traces off by time factor
- Index(es):