Wireshark · Ethereal-dev: Re: [Ethereal-dev] patch to fix time display in sniffer pro capture files

Ethereal-dev: Re: [Ethereal-dev] patch to fix time display in sniffer pro capture files

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Chris Jepeway <thai-dragon@xxxxxxxxxxxx>

Date: Tue, 08 May 2001 21:19:31 -0400

Follows, a patch that sets the time scale for NetXray v2
files based on the byte that's currently known as <hdr>.xxz[2].
It doesn't change anything for v1 files: those still switch
scale based on their minor version.

The byte and the scale they represent are based on some
some captures I have and e-mails and/or captures from
<pjw@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> and <jhouse@xxxxxxxxx>.

I picked xxz[2] since it's the sole unknown byte that varies
in a way that matches the reported times in the captures I
examined.  Mind you, this is only a sample from three sites,
each running 3 different NAI sniffers.

Chris.

BTW, I'd previously said I suspected that xxz[3] encoded the
time scale for v2 files.  That was wrong: the tool I wrote to
dig around in v2 headers labelled that byte "z3" and I guess
I made the obvious blunder when I wrote xxz[3].


Index: wiretap/netxray.c
===================================================================
RCS file: /cvsroot/ethereal/wiretap/netxray.c,v
retrieving revision 1.38
diff -u -r1.38 netxray.c
--- netxray.c	2001/03/23 23:16:29	1.38
+++ netxray.c	2001/05/08 23:33:19
@@ -50,7 +50,9 @@
 	guint32	end_offset;	/* offset after last packet in capture */
 	guint32 xxy[3];		/* unknown */
 	guint16	network;	/* datalink type */
-	guint8	xxz[6];
+	guint8	xxz[2];
+	guint8	timeunit;	/* encodes length of a tick */
+	guint8	xxa[3];
 	guint32	timelo;		/* lower 32 bits of time stamp of capture start */
 	guint32	timehi;		/* upper 32 bits of time stamp of capture start */
 	/*
@@ -58,6 +60,12 @@
 	 */
 };
 
+/*
+ * # of ticks that equal 1 second
+ */
+static double TpS[] = { 1e6, 1193000.0, 1193180.0 };
+#define NUM_NETXRAY_TIMEUNITS (sizeof TpS / sizeof TpS[0])
+
 /* Version number strings. */
 static const char vers_1_0[] = {
 	'0', '0', '1', '.', '0', '0', '0', '\0'
@@ -167,7 +175,13 @@
 		file_type = WTAP_FILE_NETXRAY_1_1;
 	} else if (memcmp(hdr.version, vers_2_001, sizeof vers_2_001) == 0
 	    || memcmp(hdr.version, vers_2_002, sizeof vers_2_002) == 0) {
-		timeunit = 1193180.0;
+		if (hdr.timeunit > NUM_NETXRAY_TIMEUNITS) {
+			g_message("netxray: Unknown timeunit %u",
+				  hdr.timeunit);
+			*err = WTAP_ERR_UNSUPPORTED;
+			return -1;
+		}
+		timeunit = TpS[hdr.timeunit];
 		version_major = 2;
 		file_type = WTAP_FILE_NETXRAY_2_00x;
 	} else {

Follow-Ups:
- Re: [Ethereal-dev] patch to fix time display in sniffer pro capture files
  - From: Guy Harris

References:
- Re: [Ethereal-dev] patch to fix time display in sniffer pro capture files
  - From: Guy Harris

Prev by Date: Re: [Ethereal-dev] Patch for -R command line handling
Next by Date: Re: [Ethereal-dev] Filter bug ?
Previous by thread: Re: [Ethereal-dev] patch to fix time display in sniffer pro capture files
Next by thread: Re: [Ethereal-dev] patch to fix time display in sniffer pro capture files
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$