Ethereal-users: Re: [Ethereal-users] Ethereal "time of day"

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxxxxx>
Date: Mon, 12 Mar 2001 21:20:34 -0800
On Mon, Mar 12, 2001 at 08:51:43PM -0700, Clyde Hoadley wrote:
> Hum, this is interesting...  windump displays the time correctly but,
> Ethereal still displays the time incorrectly when reading the windump
> capture file.  ftp'ing the windump.cap file to Linux and reading it with
> tcpdump, tcpdump displays the times incorrectly too.  I created a dump
> file using tcpdump on Linux and ftp'ed it to windows.  Windump could
> not read the dump file from tcpdump but, Ethereal could and, it displayed
> the times correctly!  So, the problem must be outside of Ethereal.

Bleargh.

Time stamps are printed in tcpdump with code that does

void
ts_print(register const struct timeval *tvp)
{
	register int s;

	if (tflag > 0) {
		/* Default */
		s = (tvp->tv_sec + thiszone) % 86400;
		(void)printf("%02d:%02d:%02d.%06u ",
		    s / 3600, (s % 3600) / 60, s % 60, (u_int32_t)tvp->tv_usec);
	} else if (tflag < 0) {
		/* Unix timeval style */
		(void)printf("%u.%06u ",
		    (u_int32_t)tvp->tv_sec, (u_int32_t)tvp->tv_usec);
	}
}

The WinDump version is:

void
ts_print(register const struct timeval *tvp)
{
	register int s;
	DWORD dwVersion;
	DWORD dwWindowsMajorVersion;

	dwVersion=GetVersion();		//get the OS version
	dwWindowsMajorVersion =  (DWORD)(LOBYTE(LOWORD(dwVersion)));

	if (tflag > 0) {
		/* Default */
#ifndef WIN32
		s = (tvp->tv_sec + thiszone) % 86400;
#else
		if (dwVersion >= 0x80000000 && dwWindowsMajorVersion >= 4)			// Windows '95
		 s = (tvp->tv_sec) % 86400;
		else
		 s = (tvp->tv_sec + thiszone) % 86400;
#endif
		(void)printf("%02d:%02d:%02d.%06u ",
		    s / 3600, (s % 3600) / 60, s % 60, (u_int32_t)tvp->tv_usec);
	} else if (tflag < 0) {
		/* Unix timeval style */
		(void)printf("%u.%06u ",
		    (u_int32_t)tvp->tv_sec, (u_int32_t)tvp->tv_usec);
	}
}

which means that on some versions of Windows, it *doesn't* shift the
time by the current time zone before printing, but, on others, it does,
just as it does on UNIX.  (The code to get the current time zone is
identical on UNIX and Windows - it gets the current time in UNIX format,
converts it to GMT and to local time, and calculates the difference
between them, in seconds.)

I don't know why it does this; if it does it because the WinDump driver,
on Windows 95 (and later versions of Windows OT?), returns local-time
rather than UTC time stamps (perhaps you can't get UTC time stamps in
Windows OT), that means that

	WinDump, when run on Windows 95, will not necessarily print time
	stamps correctly for any captures done on OSes other than
	Windows 95 (including Windows NT);

	captures from Windows 95 won't have their time stamps
	interpreted correctly by most, if not all, programs that read
	libpcap captures (tcpdump, WinDump on Windows NT, Ethereal,
	etc.).