Ian Schorr wrote:
>
> I think I found at least one of the problems with interpreting
> Sniffer-format files' timestamps:
>
>
> On Tue, Sep 17, 2002 at 04:12:18PM -0500, Tobin Schuster wrote:
> > I have noticed that Ethereal incorrectly displays the packet time when
> > displaying packets captured using Network Associates Sniffer Basic
> > version 3.50.02.
>
> We have found that sometimes it displays the packet time correctly and
> sometimes it doesn't.
>
> The capture format used by the Windows-based Sniffer software isn't
> documented anywhere I know of, so it had to be reverse-engineered. It
> appears that there is something strange going on with its time stamps,
> which we have been unable to determine - although there have been
> messages in the past to one of the Ethereal lists claiming that a trace
> from either Sniffer Basic or Sniffer Pro on one PC gave the wrong time
> stamps when read by Sniffer on another PC, so perhaps the problem is
> completely insoluble (if Network Associates can't make it work, it's not
> clear that we can make it work).
You're right that it's popped up many times, by many people... I know
that either myself or a coworker noticed the timestamp problem before
consulting the ethereal list. It is an outstanding issue, as far as I
can tell.
I don't think I've heard of people modifying the binary file, and then
rereading it with sniffer pro/basic/whatever... I'm sure that some
could provide insight as to what each field does. Some of the values in
the files are not very intuitive at all, and so might very well require
long captures to get the right/approximate value...
