Wireshark · Ethereal-users: Re: [ethereal-users] Problem with Absolute Date Function, plus advice on a Thread Util ity

Ethereal-users: Re: [ethereal-users] Problem with Absolute Date Function, plus advice on a Threa

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxx>

Date: Mon, 17 Jul 2000 14:53:44 -0700 (PDT)

> The problem is that this trace was taken at 9:30pm today (BST), yet
> Tethereal reports this it arrived at soon after midnight.  The date is
> correct but not the time. Ethereal reports the same time as Tethereal.
> Netmon reports the correct time though so the data is in the trace file.

The fact that the file was read both by Ethereal/Tethereal and Network
Monitor read the file presumably means you either

	1) captured the file using Tethereal or Ethereal and converted
	   it to a form that Network Monitor can read (its native
	   format, or Sniffer format)

or

	2) captured it using some other tool (NetMon, or perhaps a
	   Sniffer) and had Ethereal and Tethereal read it.

In either case, perhaps there's a problem with the code in the library
that Ethereal and Tethereal use to read and write capture files
(assuming the conversion in 1) above was done using Ethereal, Tethereal,
or editcap).

Can you send us the capture file as produced by the program that did the
capture?

> I presume that tethereal is in fact reporting the time after the beginning of
> the trace before the first packet and adding that to the trace file's date?

Tethereal is reporting the UNIX-style time stamp (seconds since January
1, 1970, 00:00:00 GMT, plus microseconds since the beginning of the
second in question) that was handed to it by the library reading the
capture file.

For capture files in the format Ethereal and Tethereal use when they're
doing the capture, that's the format in the file.

For capture files in other formats, that time is either in the file (for
some formats, e.g.  Sun snoop format) or generated, by the library in
question, from the time in the file (for other formats).

For Network Monitor captures, the time is generated by generating a
UNIX-style time from the year/month/day/hour/minute/second/millisecond
start time in the capture file header, and adding to it, for each
packet, the time-since-the-start-of-the-capture value in the header for
the packet.

For Sniffer captures, the time is generated in a similar fashion
(although the time stamps in the file are in a different format).

References:
- [ethereal-users] Problem with Absolute Date Function, plus advice on a Thread Util ity
  - From: Alistair . McGlinchy

Prev by Date: Re: [ethereal-users] Any plan to support LDP/TDP ?
Next by Date: RE: [ethereal-users] Problem with Absolute Date Function, plus ad vice on a Thread Util ity
Previous by thread: [ethereal-users] Problem with Absolute Date Function, plus advice on a Thread Util ity
Next by thread: Re: [ethereal-users] Problem with Absolute Date Function, plus advice on a Thread Util ity
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$