Wireshark · Ethereal-dev: [Ethereal-dev] NetXray / Sniffer Time Codes

Ethereal-dev: [Ethereal-dev] NetXray / Sniffer Time Codes

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Chris Jepeway <jepeway@xxxxxxxxxxxxxxxxx>

Date: Sun, 04 Feb 2001 16:41:14 -0500

One of my clients makes heavy use of NAI's Distributed Sniffers.
I'm working with them to debug problems they see with some web-based
apps they've written.  They've given me some traces in .cap format,
which appear to be NetXray version 2.001 files.  I use ethereal to
dig through these traces, and I use tethereal to get timings using
awk/perl/whatever.

Simple, so far.

But, when I tried to cross-check the tools I've written
with an old copy of Optimal (now Compuware's Application Expert)
that my customer uses, I found something...well...nuts.

Optimal can't read .cap files, but it can read .enc files.  OK,
fine, the .caps were converted to .encs using the Sniffer.  No
big deal there, either.

However, Optimal showed markedly different timecodes in the .enc
file from what ethereal showed reading the .cap file.  Scratching
my head while I thought "eh, what I do wrong?", I confirmed that
ethereal disagrees with the Sniffer as to times in the .cap files, too.

Now, the crazy part.

After some digging around in wiretap/netxray.c and staring at
the differences in times displayed by all three tools for the
different formats, I've concluded that a tick in a .cap file
is not a micro-second.  Instead, a tick is 88/105ths of a
micro-second, or thereabouts.

Which is nuts.  Except that changing wiretap/netxray.c to
reflect that timescale produces timecodes that agree within
a microsecond, or so, with the .enc files and with what the
Sniffer displays.  I could get a better figure than 88/105
with a bit more effort.

Before I invest that effort and tidy up my changes to netxray.c
so I can submit them as a patch, I'd love a sanity check by someone
who has a Sniffer that writes NetXray v2.001 files.  Frankly,
I'm hoping I'm just wrong.

So, is there anybody out there with a Sniffer that writes
NetXray v2.001 .cap files who'd be willing to check me on this?
To, say, suck up some packets, save the trace as both a .cap
file and a .enc file, and check whether ethereal gets different
times for each format?  And whether it disagrees with the Sniffer
as to times in the .cap file?  FWIW, I'm running ethereal under
Solaris-2.7 on an Ultra-5.

Chris Jepeway <thai-dragon@xxxxxxxxxxxx>.

Follow-Ups:
- Re: [Ethereal-dev] NetXray / Sniffer Time Codes
  - From: Guy Harris

Prev by Date: Re: [Ethereal-dev] Does a Cisco 2501 with IOS 11.2 or 11.3 have RMON packet filter and capture groups?
Next by Date: Re: [Ethereal-dev] NetXray / Sniffer Time Codes
Previous by thread: Re: [Ethereal-dev] Does a Cisco 2501 with IOS 11.2 or 11.3 have RMON packet filter and capture groups?
Next by thread: Re: [Ethereal-dev] NetXray / Sniffer Time Codes
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$