Wireshark · Ethereal-dev: Re: [Ethereal-dev] RE: [Ethereal-users] ethereal v0.8.14.1 and 0.8.14 on NT4SP5 grabs a packet it GP

Ethereal-dev: Re: [Ethereal-dev] RE: [Ethereal-users] ethereal v0.8.14.1 and 0.8.14 on NT4SP5

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxxxxx>

Date: Sat, 16 Dec 2000 12:17:19 -0800

On Sun, Dec 17, 2000 at 12:23:29AM +1000, Richard Sharpe wrote:
> Well, I have confirmed that the packet crashes Ethereal under Win95, and is
> read OK under Linux.

...but gives a rather, umm, *interesting* value for the Last Write Date
and Last Write Time - a pre-war date, and by "pre-war" I mean prior to
the Great War, i.e. 1905-05-26.

It turns out that the MSVC++ version of "gmtime()" returns NULL if
handed a date/time that predates the Epoch, and 1905-05-26 is about 64
1/2 years before the Epoch.

I shall have to check some notes at work, but I suspect that the date
and time in this reply is *not* in the weird almost-UNIX-like date and
time format used by some SMB requests and replies, but may, instead, be
in DOS date/time format.

If I apply the attached patch to "packet-smb.c", which changes the code
to assume a DOS date/time format in an SMB Get Attributes reply (and
also fixes the code that displays the date and time to use the correct
offsets when putting entries into the protocol tree), the last modified
date and time becomes 1996-08-00 16:51:56, which, although it's over
four years ago, is more likely to be correct than is a date near the
turn of the century.

I shall compare its dissection with what Microsoft's Network Monitor
claims to be the date and time.

Follow-Ups:
- Re: [Ethereal-dev] RE: [Ethereal-users] ethereal v0.8.14.1 and 0.8.14 on NT4SP5 grabs a packet it GPF's when decoding
  - From: Guy Harris
- Re: [Ethereal-dev] RE: [Ethereal-users] ethereal v0.8.14.1 and 0.8.14 on NT4SP5 grabs a packet it GPF's when decoding
  - From: Richard Sharpe

References:
- [Ethereal-dev] RE: [Ethereal-users] ethereal v0.8.14.1 and 0.8.14 on NT4SP5 grabs a packet it GPF's when decoding
  - From: Michael Hennessy
- Re: [Ethereal-dev] RE: [Ethereal-users] ethereal v0.8.14.1 and 0.8.14 on NT4SP5 grabs a packet it GPF's when decoding
  - From: Richard Sharpe

Prev by Date: [Ethereal-dev] Re: Fwd: kyxtech: freebsd outsniffed by wintendo !!?!?
Next by Date: Re: [Ethereal-dev] RE: [Ethereal-users] ethereal v0.8.14.1 and 0.8.14 on NT4SP5 grabs a packet it GPF's when decoding
Previous by thread: Re: [Ethereal-dev] RE: [Ethereal-users] ethereal v0.8.14.1 and 0.8.14 on NT4SP5 grabs a packet it GPF's when decoding
Next by thread: Re: [Ethereal-dev] RE: [Ethereal-users] ethereal v0.8.14.1 and 0.8.14 on NT4SP5 grabs a packet it GPF's when decoding
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$