Ethereal-users: Re: [Ethereal-users] netxray.c Time Calculations (file version 2.2)

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "James V. Fields" <jvfields@xxxxxxx>
Date: Thu, 27 Jan 2005 17:07:02 -0500
Excellent - I was hoping we'd get more folks looking into timetick
values for Sniffer.  I do have a couple of clarification questions so
that I can look at some of my captures:

1.  You state that the 64-bit time stamp appears to be output when
Sniffer is told to write the capture buffer to a file.  Does that mean
that if you have sniffer capture to a memory buffer or straight to
"expert" that it doesn't write those timestamps?

2.  How do you know that the time stamp in each packet is pure micro
seconds when the timehi:timelo is zero (I'm not questioning if you're
correct, just interested in your source of information as I got very
interested in this lately and can't find it documented anywhere).

Thanks!

Ken Mann wrote:
I have found what I believe is a discrepancy in how the time of each packet is determined. My experience is limited to version 2.2 with files. In the current netxray.c, realtick is read (with appropriate byte ordering) into timeunit. Timeunit is used to convert the time stamp of each packet into units of seconds. 64-bit time stamp (timehi:timelo) appears to be output when Sniffer is told to write the capture buffer to a file. In that instance, all the algorithms in the current netxray.c (10.9) are correct. However, if timehi:timelo is zero, the time stamp in each packet is pure micro seconds and should be divided by 1E6 to convert to seconds, NOT the value found in realtick. I have also observed that a different value of realtick/timeunit is written to the file depending on the type of network (0x1234DE for ethernet, 0x369E99 for 802.11) struct netxray_hdr { 
...
 guint8 timeunit; /* encodes length of a tick */
 guint8 xxa[3];  /* XXX - is this the upper 3 bytes of the time units? */
 guint32 timelo;  /* lower 32 bits of time stamp of capture start */
 guint32 timehi;  /* upper 32 bits of time stamp of capture start */
 guint32 linespeed; /* speed of network, in bits/second */
 guint8 xxb[12]; /* other stuff */
 guint8 realtick[4]; /* in version 2, units of the timestamps  */
 guint8 xxc[48]; /* other unknown stuff */
};
Forgive me if this has already been covered by a previous post.


------------------------------------------------------------------------

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users