Ethereal-dev: Re: [Ethereal-dev] RE: [Ethereal-users] ethereal v0.8.14.1 and 0.8.14 on NT4SP

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Richard Sharpe <sharpe@xxxxxxxxxx>
Date: Sun, 17 Dec 2000 13:01:30 +1000
At 06:21 PM 12/16/00 -0800, Guy Harris wrote:
>> At 10:27 AM 12/17/00 +1000, Michael Hennessy wrote:
>> OK, it seems to me that NT uses a different date/time format, which is
>> neither the UTIME format or DOS_DATE and DOS_TIME format, as I have
>> modified Ethereal to dissect the date/time in both formats for an NT
>> capture, and both are incorrect, it seems ...
>
>Network Monitor thinks the time field in the "get attributes" reply is 4
>bytes long; unless the four bytes after the 0x00 0x21 0x7c 0x86 are part
>of an 8-byte value of type TIME (for which read FILETIME), it's not in
>the NT format I mentioned (10ths of microseconds since an epochal date
>back in 1601).
>
>It's probably treating the time as an *unsigned* number of seconds since
>January 1, 1970, 00:00:00.0, hence it's past 2038 (2041) rather than
>before 1970 (1905).

Yes, I agree that it is a 4-byte quantity, because in some other captures I
have from NT, the length field, which is right after the last write time,
is correct, and has the correct value in it.

So, what is that damn format. Just checking to see if it is 10ths of
seconds, in an unsigned format ...


Regards
-------
Richard Sharpe, sharpe@xxxxxxxxxx
Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org)
Contributing author, SAMS Teach Yourself Samba in 24 Hours
Author, Special Edition, Using Samba