Ethereal-users: Re: [Ethereal-users] Ethereal Decode of Network Associats Flawed

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>
Date: Thu, 18 Nov 2004 07:36:34 +1100
The problem is that the file format from that other tool is
undocumented and no one knows how it really works.
NA has not documented how timestamps are stored and scaled in their files.


This means  that while the developers of ethereal has tried real hard
to interoperate as much as possible,  some versions of sniffer just
use  versions of their fileformat where we just dont know how they
obfuscate the timestamps.
Thus the timestamps are bogus when read into any other tool.


See if you can find out how they store timestamps in these versions of
their files or if you can get them to make public the sepcification
for the fileformat.




On Wed, 17 Nov 2004 17:09:33 +0000, larryjadams@xxxxxxxxxxx
<larryjadams@xxxxxxxxxxx> wrote:
>  
> I am comparing a Network Associates/General sniffer capture side by side
> with the Ethereal version and the time Relative is off by a factor of
> approximately 2.83x.  In other words, when I have a delta time of .210 in
> Network General, I show a corresponding delta time of .074 in Ethereal. 
> Also, the General date is off by over 4 days.  I conducted a sniffer capture
> on 11/16 and Ethereal shows it as 11/12.  In addition, the sample that I
> described had an overall duration of approximately 4 minutes and Ethereal
> showed less than 2. 
>   
> Could somebody explain what is wrong with the decoder and how it can be
> fixed. 
>   
> Thanks, 
>   
> Larry Adams 
> TheWitness (Cacti Developer) 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> 
> 
>