Wireshark · Ethereal-dev: Re: [Ethereal-dev] Ethereal 0.9.16 doesn't read AiroPeek 2.0 files

[Guy Harris <guy@xxxxxxxxxxxx>]

On Dec 2, 2003, at 7:54 AM, Martijn Schipper wrote:

> Ok, so I started to make a file decoder for AiroPeek version 9 files.
> Find attached the diff file (against 0.9.16) and the new decoder.

Checked in, with some cleanups.

> It seems that only AiroPeek moved to this new file format, so that is
> why I called it airopeek9. (I downloaded the latest demo version of
> Etherpeek and the samples that came with this version are still version
> 7 files). Does anyone know if EtherPeek also uses V9 files?

What about EtherPeek NX?  (The new file format's MediaType value 
matches what appears in AiroPeek captures, so perhaps it's currently 
only used for AiroPeek - maybe they wanted to add a bunch of additional 
information, and decided to go with a new format.)

> There is still one problem with this version: the time stamp is NOT
> correct. It is still about 31 years in the future. The time difference
> between packets is OK. Has anybody a suggestion what could be the magic
> with the time stamps in these files?

Perhaps the time stamps in V9 files aren't relative to the Mac OS OT 
(the non-UNIX Mac OS) time origin, given that it's a new file format 
and that it's not a Mac application?  (Sigh.  Too bad the IOKit doesn't 
think 802.11 is different from 802.3....)

There are RawTime and Time values in the session header; the RawTime 
value appears either to be a UNIX time_t (seconds since January 1, 
1970, 00:00:00 GMT) or a time_t with the time zone bias (also in the 
session header) factored in, if the Time value is to be believed.  
Perhaps the packet time stamps are relative to that time, which might 
be the starting time of the capture.