Ethereal-dev: Re: [Ethereal-dev] NetXray / Sniffer Time Codes

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <gharris@xxxxxxxxxxxx>
Date: Tue, 6 Feb 2001 00:47:40 -0800
On Sun, Feb 04, 2001 at 04:41:14PM -0500, Chris Jepeway wrote:
> After some digging around in wiretap/netxray.c and staring at
> the differences in times displayed by all three tools for the
> different formats, I've concluded that a tick in a .cap file
> is not a micro-second.  Instead, a tick is 88/105ths of a
> micro-second, or thereabouts.

For what it's worth:

	1) 88/105 is about .838;

	2) in Sniffer Classic (".enc") files, the time stamp units are
	   specified by a small integer in the version record, and if
	   the value of that integer is 1, the time stamp units are
	   .838096 microseconds).  (See the "Usec" array in
	   "wiretap/ngsniffer.c".)

Now, whether

	1) NetXRay always used that time stamp value (I don't think it
	   did);

	2) Network {General, Associates - I forget whether they bought
	   Cinco before or after the NG/McAfee merger} used a different
	   time stamp in the Windows sniffers than in NetXRay;

	3) there's a number in the Windows sniffer capture file header
	   giving the units, Sniffer Classic-style;

is another matter.