Ethereal-dev: [Ethereal-dev] Text2PCAP Date Format

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Tim Vale" <tvale@xxxxxxxxxxxxxxxxxxxx>
Date: Mon, 21 Jan 2002 08:29:55 -0000
Help !!

What am I doing wrong with the Hexdump output (example.txt) ?

text2pcap reads the frames and successfully encodes the output capture file but does not see the arrived date and time.

I have tried just outputting...

07:35:36.0000
000000 00 01 42 33 34 60 00 50 DA 7B 10 8C 08 00 45 00 ..B34`.PÚ{.O..E.
etc

...and using the -t "%H:%M:%S." option, but still the capture file ignores the arrived time stamp.

Also...

I am trying to decode .ENC "Network Associates Sniffer files (DOS-based)" for a part of an ongoing inhouse project.

I have, so far, isolated the 55 Byte Header and the 20 Byte Frame Preambles and obtained the Frame size (Bytes 13&14) and timestamp
(Bytes 7-10 * 2/1000000) for each Frame.

However - I can not, even after viewing the "ngsniffer.c" file, understand how the "actual" time is obtained. I have also poured
over the NA Sniffer manuals to no-avail.

I suspect it follows a similar process - but can not decypher how you get an actual date and time for when the packets are recieved
from the Header/Preamble. In fact, the number of seconds obtained from Bytes 7-10 in the preamble, appear to start with a "random"
number of seconds - I believe these values must associate with some value in the 55 Byte Header to provide an Actual Timestamp.

Also - there is (Bytes 3 & 4) another frame size which is always 14 bytes more than (Bytes 13&14) - I am guessing that this is the
end of the DLC frame that is ignored and not saved in the trace. Any ideas on that one ?

I am only interested in Ethernet Frames (IP mainly).

Can you please shed any light on these problems or point me to an idiots guide of any sort?

Cheers
T.

Tim Vale
Frantic Networks Limited

Mobile: +44 (0) 7712 627203
Fax: +44 (0) 1252 711144
EMail: tvale@xxxxxxxxxxxxxxxxxxxx
Web: www.frantic-networks.com
01/21/2002 07:35:36.0000
000000 00 01 42 33 34 60 00 50 DA 7B 10 8C 08 00 45 00 ..B34`.PÚ{.Œ..E.
000010 00 46 B4 05 00 00 80 11 C9 DB AC 10 0A 02 C0 A8 .F´...€.ÉÛ¬...À¨
000020 46 0B 04 14 00 35 00 32 A7 B8 00 01 01 00 00 01 F....5.2§¸......
000030 00 00 00 00 00 00 03 77 77 77 10 66 72 61 6E 74 .......www.frant
000040 69 63 2D 6E 65 74 77 6F 72 6B 73 03 63 6F 6D 00 ic-networks.com.
000050 00 01 00 01                                     ....

01/21/2002 07:35:36.0371
000000 00 50 DA 7B 10 8C 00 01 42 33 34 60 08 00 45 00 .PÚ{.Œ..B34`..E.
000010 00 56 9D 7A 00 00 7E 11 E2 56 C0 A8 46 0B AC 10 .Vz..~.âVÀ¨F.¬.
000020 0A 02 00 35 04 14 00 42 4E 40 00 01 85 80 00 01 ...5...BN@..…€..
000030 00 01 00 00 00 00 03 77 77 77 10 66 72 61 6E 74 .......www.frant
000040 69 63 2D 6E 65 74 77 6F 72 6B 73 03 63 6F 6D 00 ic-networks.com.
000050 00 01 00 01 C0 0C 00 01 00 01 00 00 0E 10 00 04 ....À...........
000060 C0 A8 46 0B                                     ˬF.