["Ken Mann" <KMann@xxxxxxxxxxxxxxx>]

I have found what I believe is a discrepancy in how the time of each packet is determined. My experience is limited to version 2.2 with files.

In the current netxray.c, realtick is read (with appropriate byte ordering) into timeunit. Timeunit is used to convert the time stamp of each packet into units of seconds. 64-bit time stamp (timehi:timelo) appears to be output when Sniffer is told to write the capture buffer to a file. In that instance, all the algorithms in the current netxray.c (10.9) are correct. However, if timehi:timelo is zero, the time stamp in each packet is pure micro seconds and should be divided by 1E6 to convert to seconds, NOT the value found in realtick.

I have also observed that a different value of realtick/timeunit is written to the file depending on the type of network (0x1234DE for ethernet, 0x369E99 for 802.11)

 

struct netxray_hdr {
...

 guint8 timeunit; /* encodes length of a tick */
 guint8 xxa[3];  /* XXX - is this the upper 3 bytes of the time units? */
 guint32 timelo;  /* lower 32 bits of time stamp of capture start */
 guint32 timehi;  /* upper 32 bits of time stamp of capture start */
 guint32 linespeed; /* speed of network, in bits/second */
 guint8 xxb[12]; /* other stuff */
 guint8 realtick[4]; /* in version 2, units of the timestamps  */
 guint8 xxc[48]; /* other unknown stuff */
};

Forgive me if this has already been covered by a previous post.