Markku Tiuri wrote:
This is an example af an XCP header of a Capture file
58 43 50 00 30 30 32 2E 30 30 32 00 FB 8E 4E 41
F6 EB 00 00 BE FF EF 03 80 00 00 00 DE AF 62 00
0F 76 61 00 00 00 00 00 DE AF 62 00 00 00 00 00
02 00 00 00 78 A2 24 CA A7 01 00 00 00 CA 9A 3B
00 00 00 00 01 00 00 00 14 00 04 00 99 9E 36 00
00 00 00 00 05 00 01 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 01 01 E0 E3
The field names might go like this..............................
header | version | start time (low)
time (high?) | something (number of frames) | start offset | end offset
network information | 00 00
(02) time unit | time low - time high - lines speed
some info 64 bytes
I assume you're looking at the "struct netxray_hdr" in Ethereal's
"wiretap/netxray.c" file to get those field names.
We do not know how the *start time* is calculated - can anyone HELP us ?
The start time, which comes after the 4-byte "XCP\0" magic number and
the 8-byte version number string, appears to be a 4-byte little-endian
UNIX-style time (i.e., seconds since January 1, 1970, 00:00:00 GMT).
We can calculate the times for the following frames in the CAP file if we
somehow can deduct the actual start time to which the frame times all
are related to
Note that we recently discovered that there's also a field that, at
least with later versions of the file format, may contain the time units
directly, rather than as a small integer that's an index into a table.
You should probably look at the current version of Ethereal's
"wiretap/netxray.c" for full details on time stamps in those files,
although I think there might still be some problems with interpreting
time stamps.