On Wed, Jan 28, 2004 at 08:47:29PM +0530, naveenk wrote:
> When packet is captured what time stamp it gets ie does the bpf mechanism
> take in to account the time zone of the machine capturing is taking place on.
On UNIX systems, the time stamp that BPF, or the Linux networking code,
or the Solaris "bufmod" streams module, or... uses is normally a UNIX
time stamp, which does *NOT* take into account the time zone of the
machine on which capturing is taking place - i.e., it's seconds since
midnight GMT, January 1, 1970, not some representation of local time.
On Windows, the WinPcap driver produces the same type of time stamps.
> there may be two scenerios
> 1. all times are changed to GMT 0.0 so that if the capured data is viewd
> on any other machine appropriate time zone offset can be added while
> displaying the packets
That's probably the best description of the way time stamps work in
libpcap-format files, except that the only time zone offset that's
applied is the time zone offset for the time zone in which the machine
running Ethereal is running (that time zone, by the way, isn't a
constant, if the capture was running when a switch between standard and
summer time takes place).
> Also I observe the local time calculation is done in strptime.c
Or, rather, in "strptime()", which is present as part of the OS on most
UNIXes these days, as well as in "col_set_abs_time()" for the packet
list display ("col_set_abs_time()" doesn't use "strptime()".
> where local time is calculated using usual C routine with OS support
Yes, "localtime()".
