[Gerald Combs <gerald@xxxxxxxxxxxx>]

On Sun, 23 Feb 2003, Robert McConnell wrote:

> I am looking at converting the NetProbe trace files into the raw tcpdump 
> format so that I can import them into Ethereal. Looking at the files 
> themselves, they contain a binary copy of each packet with a 20 byte header 
> containing the packet length, snapshot length and an MS-DOS time stamp 
> (milliseconds since 1/1/80). So I think the conversion will be rather 
> simple to do in either Perl or C.
> 
> Has anyone built this wheel? Or does anyone have a snippet of code that 
> will convert MS-DOS time stamps into Unix time? This is the one piece I 
> don't have worked out.

Instead of writing a NetProbe to tcpdump converter, would it be possible
to add support to the Wiretap library?  That way, Ethereal could read the
files natively and they could be converted to the many formats that
Ethereal, Tethereal and editcap can write.  More information can be found
in wiretap/README in the source distribution.

According to 'date -ud "1/1/1980" +%s' there are 315532800 seconds between
the Unix and DOS epochs.  The tcpdump/libpcap file format saves its
timestamps as Unix seconds and microseconds.  Couldn't you do something
like

   unix_sec = (dos_msec / 1000) + 315532800;
   unix_usec = (dos_msec % 1000) * 1000;

to get the values you need?