Wireshark-dev: [Wireshark-dev] Time Zone Setting in a PCAP-NG file

From: Paul Offord <Paul.Offord@xxxxxxxxxxxx>
Date: Sun, 5 Feb 2017 18:21:54 +0000

Hi,

 

I need some guidance on the time zone settings in a PCAP-NG file.

 

I have a pcapng file captured in the UK on 12th October 2016.  That means that the time zone at the time of capture was GMT +1.  There is a trace entry in this trace that shows in Wireshark today as 15:40:31.541142.  A screenshot taken at the time of the trace entry shows a clock time of 15:40.

 

 

If I look inside the pcapng file with a hex editor, there is no if_tzone option set in the IDB.  The EPB for the trace entry I’ve referred to above has:

 

·        Timezone High – 0xAB3E0500

·        Timezone Low – 0xC0B1FE22

 

If there is no time reference setting in the trace file, how does Wireshark know that the file was recorded in GMT +1 timezone.

 

This isn’t just idle curiosity.  I’ve written a trace format converter that converts IIS Logs into pcapng files.  IIS logs are recorded with GMT times by default.  The converter works OK but the timestamps in the packet list of the resulting converted file shows as though I am looking at GMT (see image below).  So I have an IIS log entry that matches the network trace entry above but shows as 14:40:31.

 

 

 

I’ve tried coding for the if_tzone IDB option and setting it to zero (GMT) but it makes no difference.

 

How do I get Wireshark to convert the time of a GMT trace entry to local time?

 

Thanks and regards…Paul


______________________________________________________________________

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

Any views or opinions expressed are solely those of the author and do not necessarily represent those of Advance Seven Ltd. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission.

Advance Seven Ltd. Registered in England & Wales numbered 2373877 at Endeavour House, Coopers End Lane, Stansted, Essex CM24 1SJ

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________