Ethereal-users: Re: [ethereal-users] no timestamp on tethereal 0.8.8 ?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxxxxx>
Date: Thu, 18 May 2000 12:17:03 -0700
On Thu, May 18, 2000 at 08:43:52AM -0500, Ron Flory wrote:
>  is this the expected behavior?

Yes.

> It is quite different from tcpdump,

So is the summary-line format:

% tcpdump -r ~/captures/oncrpc/nfs-v2.pcap
02:14:56.401500 155.56.249.123.928954202 > 155.56.2.6.nfs: 40 null
02:14:56.401500 155.56.2.6.nfs > 155.56.249.123.928954202: reply ok 24 null
02:14:56.451500 155.56.249.123.5104450 > 155.56.2.6.nfs: 140 getattr fh 0,33/1
02:14:56.451500 155.56.2.6.nfs > 155.56.249.123.5104450: reply ok 96 getattr DIR 40777 ids 0/0 sz 5120 

	...

% tethereal -r ~/captures/oncrpc/nfs-v2.pcap
  1   0.000000 155.56.249.123 -> 155.56.2.6   NFS V2 NULL Call XID 0x375eb75a
  2   0.000000   155.56.2.6 -> 155.56.249.123 NFS V2 NULL Reply XID 0x375eb75a
  3   0.050000 155.56.249.123 -> 155.56.2.6   NFS V2 GETATTR Call XID 0x4de342
  4   0.050000   155.56.2.6 -> 155.56.249.123 NFS V2 GETATTR Reply XID 0x4de342

	...

which is also intentional (I find the latter much easier to read than
the former).  Imitating tcpdump's display format was *not* a goal of
tethereal.

> and is documented in the manpage as being a available.

The man page is incorrect; it fails to note that the time stamp isn't
displayed, by default, for live captures.  (When I've done live captures
with snoop and not sent the output to a file, my main goal was to get a
general idea of what was happening on the network, to see what I should
look at in more detail to see why things were slow; the time stamp
wasn't useful in this case.)

>  If imitating Sun's snoop is important, I'd add another state to the
> 'ts_type' enum (i.e., NO_TIMESTAMP) which could be the default method
> for Suns.

"For Suns"?

No, the default behavior should *not* depend on the platform on which
you're running; it's not a case of "am I running on Solaris or not?"
(one doesn't need to have a Sun to run Solaris; heck, I'm not sure one
needs Solaris to run snoop, as I think it's part of the ONCRPC+ source
package that Sun licenses to vendors who want the RPC and NFS code, and
I think Irix has it as well), it's a case of "what output format do I
want?", which might be, for some, "don't show the time stamp on live
captures" even on a platform that doesn't have snoop, and might be, for
some, "show the time stamp on live captures" even on a platform that
does have snoop.

Adding a "-t n" option would be acceptable.