Wireshark-users: Re: [Wireshark-users] Wireshark and Observer Time

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 9 Jul 2008 16:50:43 -0700

On Jul 9, 2008, at 6:22 AM, Edouard Funke wrote:

I have a problem with UTC/local capture time :
I captured packets with NI Observer 11 which timestamps packets with local time.

If so, then Wireshark *should* be converting it to UTC internally, and...

If I open the file with wireshark 1.0.0, i think it tries to convert
it to local time again (in my case , as i am in Paris, it adds 1
hour).

...trying to convert it back to local time for display.

To quote the comment in the source file for handling Observer files:

/*
* The time in Observer files is in nanoseconds since midnight, January 1,
 * 2000, 00:00:00 local time.
 *
 * We want the seconds portion to be seconds since midnight, January 1,
 * 1970, 00:00:00 GMT.
 *
* To do that, we add the number of seconds between midnight, January 1, * 2000, 00:00:00 local time and midnight, January 1, 1970, 00:00:00 GMT. * (That gets the wrong answer if the time zone is being read in a different
 * time zone, but there's not much we can do about that.)
 */

So if your capture wasn't done in the Western European time zone, the display won't be correct.

We could perhaps redesign Wireshark's handling of time stamps to handle both files where the time stamps are in UTC (such as the libpcap format that Wireshark uses as its native format) and files where the time stamps are in local time, but that'd require some thought.