On Wed, Apr 12, 2006 at 09:47:02PM -0500, Bill Meier wrote:
> Sake Blok wrote....
>
> > I have taken a look at the trace myself and calculated the TpS to be
> > 20000000.0 for this particular trace. If I also discard the start_timestamp
> > like it has been done for other versions of the netxray format, then
> > I get the proper results.
> >
>
> OK
Included is the patch with the changes mentioned above, could these be
checked in?
> > On another trace, taken with Sniffer Portable, I see that the TpS is
> > a factor 3 off, in the source I see the following:
> >
> > * XXX - the third item is 1193180.0, presumably because somebody found
> > * it gave the right answer for some captures, but 3 times that, i.e.
> > * 3579540.0, appears to give the right answer for some other captures.
> > * Some captures have realtick of 1193182, some have 3579545, and some
> > * have 1193000. Most of those, in one set of captures somebody has,
> > * are wrong.
> >
> > For my trace the 3579540.0 would be the correct value.
> > Is it ok for me to include value 3579540.0 in the patch I'm
> > about to make? Or would that result in a flip-flopping value?
> >
> > Might these timeunit indexes be different for different major/minor
> > versions of this file-format?
>
> Certainly a possibility... Or perhaps something else is different to
> determine the TpS to be used. In any case, as the comment in the source
> indicates, there are captures for which 1193182 is the correct TpS value for
> this captype/timeunit and so the value should not be changed.
OK, I left this value as is...
> Can you provide the capture so I can compare it to other captures to see
> whether the versions are different or whether something else is different ?
Unfortunately this file contains unencrypted Internet banking data. Is it
OK if I sent you only the file-header (first 128 bytes)?
> > That leaves me with my initial question, did anyone try to get the
> > specs of the file-format from Network General?
>
> (The short answer: I don't know so I'll leave this to others on the list to
> answer).
I will ask the guys who made these traces (who do nothing else) if they
have any support contacts within Network General that might be of help
here :)
Cheers, Sake
Index: wiretap/netxray.c
===================================================================
--- wiretap/netxray.c (revision 17854)
+++ wiretap/netxray.c (working copy)
@@ -210,7 +210,7 @@
/*
* Table of time units for Ethernet captures with captype ETH_CAPTYPE_GIGPOD2.
*/
-static double TpS_gigpod2[] = { 1e9, 0.0, 0.0 };
+static double TpS_gigpod2[] = { 1e9, 0.0, 20000000.0 };
#define NUM_NETXRAY_TIMEUNITS_GIGPOD2 (sizeof TpS_gigpod2 / sizeof TpS_gigpod2[0])
/* Version number strings. */
@@ -567,6 +567,16 @@
return -1;
}
timeunit = TpS_gigpod2[hdr.timeunit];
+ /*
+ * XXX: start time stamp in the one capture file examined of this type was 0;
+ * We'll assume the start time handling is the same as for other pods.
+ *
+ * At least for 002.002 and 002.003
+ * captures, the start time stamp is 0,
+ * not the value in the file.
+ */
+ if (version_minor == 2 || version_minor == 3)
+ start_timestamp = 0.0;
break;
default: