https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7457
Summary: PCAPNG: timestamps get changed when tshark reads and
saves a pcang file
Product: Wireshark
Version: 1.8.0
Platform: x86
OS/Version: SuSE
Status: NEW
Severity: Critical
Priority: Low
Component: TShark
AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
ReportedBy: holychan@xxxxxxxxx
Build Information:
TShark 1.8.0 (SVN Rev Unknown from unknown)
Copyright 1998-2012 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GLib 2.22.5, with libpcap, with libz 1.2.3, without
POSIX
capabilities, without SMI, without c-ares, without ADNS, without Lua, without
Python, with GnuTLS 2.4.1, with Gcrypt 1.4.1, without Kerberos, without GeoIP.
Running on Linux 2.6.33.7-rt29-0.5-rt, with locale en_US.UTF-8, with libpcap
version 1.3.0, with libz 1.2.3.
Built using gcc 4.6.3.
--
When you try to read a pcapng file and save it to a new pcapng file, the
timestamp was trimmed down! The decimal place is moved to the front and the
last digit is rounded off. The timestamp is no longer correct. Could anyone
please help how to correct it? Thanks a lot!
--------------------------------------------------
$ tshark -r capture.20120625.pcapng -t e | head -3
1 1340398414.509256500 Cisco_fe:3b:7d -> Spanning-tree-(for-bridges)_00 STP 53
RST. Root = 32768/20/00:05:73:fe:3b:81 Cost = 0 Port = 0x80b6
2 1340398416.805447300 Cisco_fe:3b:7d -> Spanning-tree-(for-bridges)_00 STP 53
RST. Root = 32768/20/00:05:73:fe:3b:81 Cost = 0 Port = 0x80b6
3 1340398417.391487800 Cisco_fe:3b:7d -> CDP/VTP/DTP/PAgP/UDLD UDLD 128 Device
ID: SSI1516004B Port ID: Ethernet1/50/2enter code here`
--------------------------------------------------
$ tshark -F pcapng -r capture.20120625.pcapng -w testout.pcapng -c 3
--------------------------------------------------
$ tshark -r testout.pcapng -t e | head -3
1 134039841.450925600 Cisco_fe:3b:7d -> Spanning-tree-(for-bridges)_00 STP 53
RST. Root = 32768/20/00:05:73:fe:3b:81 Cost = 0 Port = 0x80b6
2 134039841.680544700 Cisco_fe:3b:7d -> Spanning-tree-(for-bridges)_00 STP 53
RST. Root = 32768/20/00:05:73:fe:3b:81 Cost = 0 Port = 0x80b6
3 134039841.739148700 Cisco_fe:3b:7d -> CDP/VTP/DTP/PAgP/UDLD UDLD 128 Device
ID: SSI1516004B Port ID: Ethernet1/50/2
--------------------------------------------------
I checked that my if_tsresol field in the original IS block is 7. So
effectively the timestamp lost its least significant digit but the program
still wanted to maintain the original number of decimal places. As a result,
the decimal point is moved to the front by 1 digit.
I am using:
libpcap-1.3.0
wireshark-1.8.0 ( downloaded from http://www.wireshark.org/download.html )
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.