Wireshark-bugs: [Wireshark-bugs] [Bug 10190] The .cap files generated from Message Analyzer use
Guy Harris
changed
bug 10190
What |
Removed |
Added |
OS |
Windows 7
|
All
|
Comment # 9
on bug 10190
from Guy Harris
(In reply to comment #0)
> From: gikim@microsoft.com
> If you install Microsoft Network Monitor, you can find .cap file format at
> Microsoft Network Monitor | network Monitor Overview | Capture File Format
> section in Help | Contents and SDK menu.
>
> The TimeStamp field of the Frame Layout is introduced with Network Monitor
> 2.3 to resolve time zone issue, accuracy and file merging issue and should
> be used if ExtendedInfoOffset in the capture file header is not 0.
>
> Technically, it is not a fault of Wireshark to use TimeOffsetLocal instead
> of TimeStamp as we don’t mark that field as deprecated. But it would be
> better to use TimeStamp field as TimeOffsetLocal is not UTC time and is not
> accurate as TimeStamp.
Technically:
if the NetMon 2.3 format spec is to be read as saying the trailer is
present, *regardless* of the version number, if the ExtendedInfoOffset is
non-zero ("FILETIME structure UTC timestamp. In increments of 0.1μs (100 ns).
This is used if and only if ExtendedInfoOffset in the capture file header is
not 0."), it's a fault of Network Monitor 3.4 that it doesn't read the file
data trailer if the version number is 2.0 and the ExtendedInfoOffset is
non-zero;
if the spec is to be read as implying that ExtendedInfoOffset should be
non-zero only in 2.3 or later format files, it's a fault of whatever program
wrote that file (Message Analyzer?) that it wrote out a version number of 2.0
and a non-zero ExtendedInfoOffset value.
> If you have any more question, please let me know via email.
>
> Kim
Ken, could you send Kim a message about this?
We need to know from somebody at Microsoft:
What is the correct way to handle NetMon files - the way NetMon 3.4 reads
them, or the way Message Analyzer writes them?
And, if the format version is 2.0 but ExtendedInfoOffset is non-zero,
meaning that the packets *do* have record trailers, should the record trailer's
MediaType and ProcessInfoIndex fields be used?
You are receiving this mail because:
- You are watching all bug changes.