> What is the definition of "Absolute time"?
"Absolute time" means "the time stamp from the capture, translated, when
possible, into UTC, and then displayed as local time".
The way the translation is done depends on the type of the capture file;
in the case of a live capture, the capture file is a libpcap (tcpdump)
file, so the time stamps in the capture file are presumed to be in UNIX
format (seconds since Jan 1, 1970, 00:00:00 GMT, plus microseconds).
The time stamps are written *to* the file by Ethereal under the
assumption that the WinPcap driver and library have supplied the time to
Ethereal in UNIX format; if that's not the case, then the time stamps
may be incorrect.
It sounds as if some part of the system - whether it's the Windows 9x
"kernel", or the WinPcap driver, or the C run-time library - has the
time zone offset backwards, and it thinks you're 7 hours *ahead* of UTC
rather than 7 hours *behind* UTC.
Try using WinDump. First, just run it from a DOS window and see what
time stamps it prints, to see if those are correct or not; then, try
running it with the "-w" flag, saving the capture to a file, and try
reading the file with both tcpdump and Ethereal, to see if those time
stamps are correct or not.
> Do I not understand the "time of day" option correctly or,
> is this a Windows glitch or, something else?
I strongly suspect it's a Windows 9x glitch of some sort. It works fine
for me, at least, on both various UNIX-flavored OSes and Windows NT
(on 4.0, and also on 5.0, a/k/a Windows 2000).