On Jul 9, 2008, at 6:22 AM, Edouard Funke wrote:
I have a problem with UTC/local capture time :
I captured packets with NI Observer 11 which timestamps packets with
local time.
If so, then Wireshark *should* be converting it to UTC internally,
and...
If I open the file with wireshark 1.0.0, i think it tries to convert
it to local time again (in my case , as i am in Paris, it adds 1
hour).
...trying to convert it back to local time for display.
To quote the comment in the source file for handling Observer files:
/*
* The time in Observer files is in nanoseconds since midnight,
January 1,
* 2000, 00:00:00 local time.
*
* We want the seconds portion to be seconds since midnight, January 1,
* 1970, 00:00:00 GMT.
*
* To do that, we add the number of seconds between midnight, January
1,
* 2000, 00:00:00 local time and midnight, January 1, 1970, 00:00:00
GMT.
* (That gets the wrong answer if the time zone is being read in a
different
* time zone, but there's not much we can do about that.)
*/
So if your capture wasn't done in the Western European time zone, the
display won't be correct.
We could perhaps redesign Wireshark's handling of time stamps to
handle both files where the time stamps are in UTC (such as the
libpcap format that Wireshark uses as its native format) and files
where the time stamps are in local time, but that'd require some
thought.