Wireshark-dev: Re: [Wireshark-dev] adding IRIG time and time of day

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 1 Nov 2013 14:18:04 -0700
On Nov 1, 2013, at 1:39 PM, John Dill <John.Dill@xxxxxxxxxxxxxxxxx> wrote:

> I just finished installing the latest version of wireshark 1.10.2 and was able to build it successfully for Windows 7 using the recommended procedure in the developer's guide.
>  
> One of the things that I'd like to tweak is to add an IRIG time of day to the list of Time Display Formats.

Note that View -> Time Display Format controls the way packet time stamps are displayed, so the only formats that make sense are formats where you can take a count of seconds and nanoseconds since January 1, 1970, 00:00:00 UTC and convert it to that format.  Nothing else is implementable.

If, however, the file contains IRIG time stamps *in addition to* the packet time stamp read by Wireshark, it might be possible to have an IRIG time stamp column, separate from the "Time" column.
>  
> The issue is that my packet stream is synchronized to an IRIG time code generator and would like to display the date in the following format.
>  
> (day) hh:mm:ss.nnnnnnnnn
>  
> The timestamp is populated with a time of day starting with day 1 as Jan 1 12:00:00am and wraps around at either day 365 or 366 which corresponds to Dec 31, 11:59:59pm.  One slight issue is that the IRIG time does not capture the year, so some method will be needed to specify whether the date the leap year. I could use a heuristic like the date from the file, or use Ctrl + Alt + 8 to cycle between leap year and non-leap year displays.
>  
> The data is not collected from Wireshark directly, but from an external board that uses a modified pcap driver (cpcap) that I use to stream collected packets to file.

What is the file format?  Where does it store the IRIG time stamps?