Ethereal-users: Re: [Ethereal-users] Problem with Elapsed Time reading Sniffer File

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Fri, 04 Mar 2005 10:55:54 -0800
David_Long@xxxxxxxxxxxx wrote:
Comparing two captures of the same data taken on opposite sides of a WAN cloud, one taken by Ethereal and one by Sniffer, I noticed discrepancies in the timing when comparing the two using Ethereal.
Ethereal's code to get time stamps from Windows Sniffer files has some problems; it's much improved in 0.10.9, but people have still seen problems.
We'd need a copy of one of the files with a problem in order to figure out the cause. There are a couple of people who've been working on this (James Fields and Kevin Johnson; they're the ones who contributed the improvements in 0.10.9) - I don't know if they read the ethereal-users list, but they do read the ethereal-dev list, so I'm CCing that list.
When Ethereal 0.10.9 (on WinXP-SP1) reads a file from Sniffer version 4.70.04 (on Win2K-SP4), it reports the elapsed time compressed by a factor of about 3.6, i.e. a capture of 1 minute and 23.1 seconds on the Sniffer appears only to be 23.2 seconds long in Ethereal. The compression is equal throughout the capture, i.e. you can take any elapsed time in Ethereal, multiply it by 3.6 and get the original elapsed time in Sniffer.
The improvements they contributed get the time stamp units from a field in the file header, but that field isn't always present. In earlier releases, before they'd figured out that the field in question had the time stamp units, we'd tweaked a table that converted a unit specification (a small integer) to the time stamp units to try to fix problems; it might be that one of those tweaks 

	1) broke the handling of some capture files

and
2) wasn't necessary because the files the tweaks were done to fix had the time stamp unit field in the file header
so we might have to re-tweak the time stamp units table, or it might be that your files have the time stamp unit field but Ethereal isn't recognizing that fact.
I have tried other Time column formats than the default, but with no improvement.
That won't make a difference - the problem isn't the format, it's the numbers themselves; changing the time column format just changes the way the times are displayed, but the relative and delta times are just computed from the absolute times, so if the absolute times are wrong, the relative and delta times will also be wrong.