On Dec 9, 2014, at 1:04 AM, Vishnu Bhatt <vishnu.bhatt@xxxxxxxxxxx> wrote:
> Suppose I capture a pcap file in country ‘A’ and the the pcap file is being seen in some other machine in country ‘B’. What “absolute time” should Wireshark display? I’ve seen ambiguous behavior, in some cases A’s time zone is displayed and sometimes B’s timezone.
I'm assuming here that by "pcap file" you're specifically referring to files in pcap format, not just to all types of captures, no matter what file format they're in.
(Note also that some countries have more than one time zone, so I'll refer to "machine A" and "machine B", and their locations, rather than to "country A" and "country B".)
In pcap files, time stamps are supposed to be stored as seconds since January 1, 1970, 00:00:00 UTC, followed by microseconds (or, in a variant of that format, with a different magic number, nanoseconds) since that second.
If machines A and B are in different time zones (or have different daylight savings time/summer time rules), then, by default, B's time zone should be used, as, by default, the routines Wireshark uses to convert those time stamps should convert them to local time in the time zone of the machine on which Wireshark is running.
Pcap files have a "time zone offset" field, but no programs I know of set it in the file, so neither tcpdump nor Wireshark use it, nor will use it - and, as no programs I know of set it, even if they *did* use it, it wouldn't give you time stamps in the time zone of the machine that captured the packet.
So I'm somewhat surprised that, unless you configure machine B to be in machine A's time zone - or, on UN*X, run Wireshark with the TZ environment variable set for machine A's time zone - you *ever* see machine A's time zone.
The same applies to pcap-ng files, which store time stamps as units since January 1, 1970, 00:00:00 UTC. It has a not-well-described option in an Interface Description Block for a time zone, but, as it's not well described, I know of no software that uses it.
Some other capture file formats store time stamps in local time; Wireshark converts them to UTC for internal use, using routines that will convert them assuming that they're in the local time of the machine running Wireshark. This *could* make it appear (modulo differences in daylight savings time/summer time rules) as if it's showing the time stamps from machine A's time zone. However, again, that won't happen for *pcap* files.