Wireshark · Ethereal-users: Re: [Ethereal-users] Ethereal time format anomaly with libpcap file format

Ethereal-users: Re: [Ethereal-users] Ethereal time format anomaly with libpcap file format

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxxxx>

Date: Mon, 29 Dec 2003 11:35:07 -0800

On Mon, Dec 29, 2003 at 02:22:11PM -0500, Chris_Friedline@xxxxxxxxxxxxxxx wrote:
> Thoughts?  Do I just need to convert everything to Sniffer before using 
> EtherPeek or did I stumble upon something in Ethereal?

Time stamps in libpcap format are stored as seconds since January 1,
1970, 00:00:00 GMT, plus microseconds.  DOS-based Sniffer files store
time stamps as local times.

I suspect that either

	1) EtherPeek's code for handling libpcap-format captures is
	   broken and doesn't handle UNIX-style time stamps correctly

or

	2) the time stamps are wrong on your server but the C library
	   functions Ethereal is using to process those time stamps is
	   compensating for that

and as I have no reason to believe that the C library functions would
compensate for that, I suspect the answer is 1).  The ability to read
libpcap-format captures in EtherPeek might be a new feature, so perhaps
there are some glitches in it (although Wildpackets' ProConvert has
handled them for a while).

References:
- [Ethereal-users] Ethereal time format anomaly with libpcap file format
  - From: Chris_Friedline

Prev by Date: Re: [Ethereal-users] Training questions
Next by Date: RE: [Ethereal-users] Ethereal time format anomaly with libpcap fileformat
Previous by thread: [Ethereal-users] Ethereal time format anomaly with libpcap file format
Next by thread: Re: [Ethereal-users] Ethereal time format anomaly with libpcap file format
Index(es):
- Date
- Thread