Wireshark · Ethereal-users: Re: [Ethereal-users] Capture conversions

Ethereal-users: Re: [Ethereal-users] Capture conversions

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Martin Regner" <martin.regner@xxxxxxxxx>

Date: Sun, 23 Feb 2003 22:28:53 +0100

Guy Harris wrote:
>Although that raises the question of whether the DOS epoch is local time
>or GMT.  If, as I suspect, it's local time, you'd also need to add in
>a time zone offset between local time (which you'd probably have to
>assume is local time on the machine on which you're reading the file)
>and UTC.
>

In the files I captured with NetProb32 demo-version and the sample "Nw_test.trc"-file that was included with the
NetProb (v1.34) and NetProb32 (v1.3) demo versions, there was no absolute time reference at all - only relative timestamps since the capturing was started ("Elapsed time").

However I don't know if maybe your capture looks different from this.

http://www.netplusinc.com/
http://www.zdnet.com.au/downloads/pc/swinfo/0,2000036746,7737990,00.htm
http://www.simtel.net/pub/pd/25395.html


Below is a sample file I captured with NetProb32 demoversion, and my guess of what some of the data means 

000:  6400 0100 0500 0000 0000 0000 0000 0000  d...............
010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
020:  0000 0000 0000 0000 0000 0000 0000 4000  ..............@.
030:  4000 FB05 0000 0000 0000 0000 0000 0000  @.û.............
040:  0000 FFFF FFFF FFFF 0000 CA23 FEF1 0806  ..ÿÿÿÿÿÿ..Ê#þñ..
050:  0001 0800 0604 0001 0000 CA23 FEF1 0A75  ..........Ê#þñ.u
060:  FFFD 0000 0000 0000 D559 8E2C 01D9 8FE3  ÿý......ÕY,.Ùã
070:  5010 8000 FEF1 0000 686F 7879 2061 6365  P..þñ..hoxy ace
080:  7461 4000 4000 7907 0000 0000 0000 0000  ta@[email protected].........
090:  0000 0000 0000 FFFF FFFF FFFF 0000 CA23  ......ÿÿÿÿÿÿ..Ê#
0A0:  FEF1 0806 0001 0800 0604 0001 0000 CA23  þñ............Ê#
0B0:  FEF1 0A75 FFFD 0000 0000 0000 D559 8D7C  þñ.uÿý......ÕY|
0C0:  17B7 6C1E 5010 2300 6343 0000 6EFB 942C  .·l.P.#.cC..nû,
0D0:  89DC 0241 18FC 4000 4000 9F07 0000 0000  Ü.A.ü@.@......
0E0:  0000 0000 0000 0000 0000 FFFF FFFF FFFF  ..........ÿÿÿÿÿÿ
0F0:  0000 CA23 FEF1 0806 0001 0800 0604 0001  ..Ê#þñ..........
100:  0000 CA23 FEF1 0A75 FFFD 0000 0000 0000  ..Ê#þñ.uÿý......
110:  D559 8E62 CCCC CCCC CCCC CC0D 0DA9 17D9  ÕYbÌÌÌÌÌÌÌ..©.Ù
120:  C352 2FB3 86A4 5F67 0D48 3C00 3C00 0309  ÃR/³¤_g.H<.<...
130:  0000 0000 0000 0000 0000 0000 0000 FFFF  ..............ÿÿ
140:  FFFF FFFF 0007 0DB3 E40A 0806 0001 0800  ÿÿÿÿ...³ä.......
150:  0604 0001 0007 0DB3 E40A D559 8C01 0000  .......³ä.ÕY...
160:  0000 0000 D559 8C16 0000 0000 0000 0000  ....ÕY.........
170:  0000 0000 0000 0000 0000 3C00 3C00 6B09  ..........<.<.k.
180:  0000 0000 0000 0000 0000 0000 0000 FFFF  ..............ÿÿ
190:  FFFF FFFF 0007 0DB3 E40A 0806 0001 0800  ÿÿÿÿ...³ä.......
1A0:  0604 0001 0007 0DB3 E40A D559 8C01 0000  .......³ä.ÕY...
1B0:  0000 0000 D559 8C31 0000 0000 0000 0000  ....ÕY1........
1C0:  0000 0000 0000 0000 0000 3C00 3C00 A320  ..........<.<.£ 
1D0:  0000 0000 0000 0000 0000 0000 0000 FFFF  ..............ÿÿ
1E0:  FFFF FFFF 0007 0DB3 E40A 0806 0001 0800  ÿÿÿÿ...³ä.......
1F0:  0604 0001 0007 0DB3 E40A D559 8C01 0000  .......³ä.ÕY...
200:  0000 0000 D559 8EBA 0000 0000 0000 0000  ....ÕYº........
210:  0000 0000 0000 0000 0000 3C00 3C00 8321  ..........<.<.!
220:  0000 0000 0000 0000 0000 0000 0000 FFFF  ..............ÿÿ
230:  FFFF FFFF 0007 0DB3 E40A 0806 0001 0800  ÿÿÿÿ...³ä.......
240:  0604 0001 0007 0DB3 E40A D559 8C01 0000  .......³ä.ÕY...
250:  0000 0000 D559 8C31 0000 0000 0000 0000  ....ÕY1........
260:  0000 0000 0000 0000 0000 4000 4000 5723  ..........@[email protected]#
270:  0000 0000 0000 0000 0000 0000 0000 FFFF  ..............ÿÿ
280:  FFFF FFFF 0000 CA23 FEF1 0806 0001 0800  ÿÿÿÿ..Ê#þñ......
290:  0604 0001 0000 CA23 FEF1 0A75 FFFD 0000  ......Ê#þñ.uÿý..
2A0:  0000 0000 D559 8E62 3C7D 286D 5010 20A5  ....ÕYb<}(mP. ¥
2B0:  1C4E 0000 6837 9242 08E0 0A25 E004       .N..h7B.à.%à.  



000:  6400 0100 0500 0000 0000 0000 0000 0000  d...............
010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
020:  0000 0000 0000 0000 0000 0000 0000 

64 00   NetProb file-format (It seems that several of the binary files generated by NetProb starts with 64 00)
01 00   TRC-format (0100 = means TRC capture it seems, 
                    0400 = seems to mean PKT packet generation file - with another file format than this, 
                    0700 = CFG configuration file - with another file format than this)
05 00   Number of packets stored (I think) = 5 
       (only 5 will be visible since captured with demo version but there are really a few more packets in the file.
       The demo file that was included had value "06 00" and there was 6 packets that I could view)

=============
                                         4000  ..............@.
030:  4000 FB05 0000 0000 0000 0000 0000 0000  @.û.............
040:  0000 

40 00   number of octets  (size=64)
40 00   snaplen ?
FB 05 00 00 00 ... Elapsed time 00:01:531  (0x05FB =  1531 msec = 1:531 sec)
-------------
           FFFF FFFF FFFF 0000 CA23 FEF1 0806  ..ÿÿÿÿÿÿ..Ê#þñ..
050:  0001 0800 0604 0001 0000 CA23 FEF1 0A75  ..........Ê#þñ.u
060:  FFFD 0000 0000 0000 D559 8E2C 01D9 8FE3  ÿý......ÕY,.Ùã
070:  5010 8000 FEF1 0000 686F 7879 2061 6365  P..þñ..hoxy ace
080:  7461 

==============

           4000 4000 7907 0000 0000 0000 0000  ta@[email protected].........
090:  0000 0000 0000 

40 00   number of octets  (size=64)
40 00   snaplen=64   
79 07 00 00 00 ... Elapsed time 00:01:931  (0x0779 =  1913 msec = 1:931 sec)
-------------------
                     FFFF FFFF FFFF 0000 CA23  ......ÿÿÿÿÿÿ..Ê#
0A0:  FEF1 0806 0001 0800 0604 0001 0000 CA23  þñ............Ê#
0B0:  FEF1 0A75 FFFD 0000 0000 0000 D559 8D7C  þñ.uÿý......ÕY|
0C0:  17B7 6C1E 5010 2300 6343 0000 6EFB 942C  .·l.P.#.cC..nû,
0D0:  89DC 0241 18FC 
==================

                     4000 4000 9F07 0000 0000  Ü.A.ü@.@......
0E0:  0000 0000 0000 0000 0000 

40 00   number of octets  (size=64)
40 00   snaplen 
9F 07 00 00 00 ... Elapsed time 00:01:951  (0x079F =  1951 msec = 1:951 sec)
---------------------
                               FFFF FFFF FFFF  ..........ÿÿÿÿÿÿ
0F0:  0000 CA23 FEF1 0806 0001 0800 0604 0001  ..Ê#þñ..........
100:  0000 CA23 FEF1 0A75 FFFD 0000 0000 0000  ..Ê#þñ.uÿý......
110:  D559 8E62 CCCC CCCC CCCC CC0D 0DA9 17D9  ÕYbÌÌÌÌÌÌÌ..©.Ù
120:  C352 2FB3 86A4 5F67 0D48 
=====================

                               3C00 3C00 0309  ÃR/³¤_g.H<.<...
130:  0000 0000 0000 0000 0000 0000 0000 

3C 00   number of octets  (size=64)
3C 00   snaplen 
03 09 00 00 00 ... Elapsed time 00:02:307  (0x0903 =  2307 msec = 2:307 sec)
----------------------
                                         FFFF  ..............ÿÿ
140:  FFFF FFFF 0007 0DB3 E40A 0806 0001 0800  ÿÿÿÿ...³ä.......
150:  0604 0001 0007 0DB3 E40A D559 8C01 0000  .......³ä.ÕY...
160:  0000 0000 D559 8C16 0000 0000 0000 0000  ....ÕY.........
170:  0000 0000 0000 0000 0000 
======================
                               3C00 3C00 6B09  ..........<.<.k.
180:  0000 0000 0000 0000 0000 0000 0000 

3C 00   number of octets  (size=64)
3C 00   snaplen
6B 09 00 00 00 ... Elapsed time 00:02:411 (0x096B = 2411 msec = 2:411 sec)
-------------
                                         FFFF  ..............ÿÿ
190:  FFFF FFFF 0007 0DB3 E40A 0806 0001 0800  ÿÿÿÿ...³ä.......
1A0:  0604 0001 0007 0DB3 E40A D559 8C01 0000  .......³ä.ÕY...
1B0:  0000 0000 D559 8C31 0000 0000 0000 0000  ....ÕY1........
1C0:  0000 0000 0000 0000 0000 
=======================
                               3C00 3C00 A320  ..........<.<.£ 
1D0:  0000 0000 0000 0000 0000 0000 0000 

3C 00   number of octets  (size=64)
3C 00   snaplen
A3 20 00 00 00 ... Elapsed time ????????  (8:355 sec ???)
--------------
                                         FFFF  ..............ÿÿ
1E0:  FFFF FFFF 0007 0DB3 E40A 0806 0001 0800  ÿÿÿÿ...³ä.......
1F0:  0604 0001 0007 0DB3 E40A D559 8C01 0000  .......³ä.ÕY...
200:  0000 0000 D559 8EBA 0000 0000 0000 0000  ....ÕYº........
210:  0000 0000 0000 0000 0000 
========================
                               3C00 3C00 8321  ..........<.<.!
220:  0000 0000 0000 0000 0000 0000 0000 

3C 00   number of octets  (size=64)
3C 00   snaplen
83 21 00 00 00 ... Elapsed time ???????  (8:579 sec ???)
-------
                                         FFFF  ..............ÿÿ
230:  FFFF FFFF 0007 0DB3 E40A 0806 0001 0800  ÿÿÿÿ...³ä.......
240:  0604 0001 0007 0DB3 E40A D559 8C01 0000  .......³ä.ÕY...
250:  0000 0000 D559 8C31 0000 0000 0000 0000  ....ÕY1........
260:  0000 0000 0000 0000 0000 
=========================

                               4000 4000 5723  ..........@[email protected]#
270:  0000 0000 0000 0000 0000 0000 0000 

40 00   number of octets  (size=64)
40 00   snaplen
57 23 00 00 00 ... Elapsed time ???????  (9:047 sec ??)
------------------------
                                         FFFF  ..............ÿÿ
280:  FFFF FFFF 0000 CA23 FEF1 0806 0001 0800  ÿÿÿÿ..Ê#þñ......
290:  0604 0001 0000 CA23 FEF1 0A75 FFFD 0000  ......Ê#þñ.uÿý..
2A0:  0000 0000 D559 8E62 3C7D 286D 5010 20A5  ....ÕYb<}(mP. ¥
2B0:  1C4E 0000 6837 9242 08E0 0A25 E004       .N..h7B.à.%à.

NetProb Packet Print: Decoded Packet 

Packet Number: 1
Length: 64 Bytes
Elapsed Time (Hour:Minute:Sec:MSec): 0000:00:01:531
Frame Type: Ethernet II
========================== Data Link Control (DLC) ==========================
Node: 0000CA23FEF1 ---> Broadcast 
Packet Type: ARP (0x0806) 
===================== Address Resolution Protocol (ARP) =====================
Hardware Type: Ethernet 
Protocol: IPv4 (0x0800) 
Hardware Address Length: 6 
Protocol Address Length: 4 
Operation: ARP Request 
Sender Protocol Address: 10.117.255.253
Target Protocol Address: 213.89.142.44


Packet Number: 2
Length: 64 Bytes
Elapsed Time (Hour:Minute:Sec:MSec): 0000:00:01:913
Frame Type: Ethernet II
========================== Data Link Control (DLC) ==========================
Node: 0000CA23FEF1 ---> Broadcast 
Packet Type: ARP (0x0806) 
===================== Address Resolution Protocol (ARP) =====================
Hardware Type: Ethernet 
Protocol: IPv4 (0x0800) 
Hardware Address Length: 6 
Protocol Address Length: 4 
Operation: ARP Request 
Sender Protocol Address: 10.117.255.253
Target Protocol Address: 213.89.141.124


Packet Number: 3
Length: 64 Bytes
Elapsed Time (Hour:Minute:Sec:MSec): 0000:00:01:951
Frame Type: Ethernet II
========================== Data Link Control (DLC) ==========================
Node: 0000CA23FEF1 ---> Broadcast 
Packet Type: ARP (0x0806) 
===================== Address Resolution Protocol (ARP) =====================
Hardware Type: Ethernet 
Protocol: IPv4 (0x0800) 
Hardware Address Length: 6 
Protocol Address Length: 4 
Operation: ARP Request 
Sender Protocol Address: 10.117.255.253
Target Protocol Address: 213.89.142.98


Packet Number: 4
Length: 60 Bytes
Elapsed Time (Hour:Minute:Sec:MSec): 0000:00:02:307
Frame Type: Ethernet II
========================== Data Link Control (DLC) ==========================
Node: 00070DB3E40A ---> Broadcast 
Packet Type: ARP (0x0806) 
===================== Address Resolution Protocol (ARP) =====================
Hardware Type: Ethernet 
Protocol: IPv4 (0x0800) 
Hardware Address Length: 6 
Protocol Address Length: 4 
Operation: ARP Request 
Sender Protocol Address: 213.89.140.1
Target Protocol Address: 213.89.140.22


Packet Number: 5
Length: 60 Bytes
Elapsed Time (Hour:Minute:Sec:MSec): 0000:00:02:411
Frame Type: Ethernet II
========================== Data Link Control (DLC) ==========================
Node: 00070DB3E40A ---> Broadcast 
Packet Type: ARP (0x0806) 
===================== Address Resolution Protocol (ARP) =====================
Hardware Type: Ethernet 
Protocol: IPv4 (0x0800) 
Hardware Address Length: 6 
Protocol Address Length: 4 
Operation: ARP Request 
Sender Protocol Address: 213.89.140.1
Target Protocol Address: 213.89.140.49

Attachment: My_test.TRC
Description: Binary data

Prev by Date: Re: [Ethereal-users] Capture conversions
Next by Date: Re: [Ethereal-users] Capture conversions
Previous by thread: Re: [Ethereal-users] Capture conversions
Next by thread: Re: [Ethereal-users] Capture conversions
Index(es):
- Date
- Thread