Wireshark · Ethereal-dev: Re: [Ethereal-dev] patch to packet-tcp.c to display up times if timestamps

Ethereal-dev: Re: [Ethereal-dev] patch to packet-tcp.c to display up times if timestamps

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Charles Levert <chuck@xxxxxxxxxxxxxxxx>

Date: Tue, 26 Oct 2004 16:23:36 -0400

* On Saturday 2004-10-23 at 03:47:07 -0400, Charles Levert wrote:
> The following patch displays TCP timestamps as up times, somewhat
> as p0f <http://lcamtuf.coredump.cx/p0f/p0f.shtml>
> and Netcraft <http://uptime.netcraft.com/up/graph> do.
> 
> Of course, these up times are meaningless for hosts running operating
> systems that apply countermeasures (like OpenBSD).  They are valid for
> most OSes (including Linux), though.

Sorry to follow on my own message, but it's been a few days without
feedback and I have updated the patch slightly.

Since not all OSes use a 100 Hz aka 10 ms clock, I have modified the
displayed string to explicitly state that assumption.  This is the best
thing to do in the absence of signature-based OS detection, which is
probably outside the scope of Ethereal.  For comparison purposes, p0f
only support a 100 Hz clock while Netcraft gives up on higher frequency
clocks since the up time is then too likely to have rolled over (wrapped
after maximum 32-bit unsigned value) anyway.

Please comment (including "not interested" kind of feedback:  I'll stop
following up on it then :-).



[ Generated with ude,
    the unified-format diff-output ("unidiff") editor,
    version 0.1 of 2004-10-13.  ]
--- epan/dissectors/packet-tcp.c.orig-0.10.7	2004-10-20 18:34:51 -0400
+++ epan/dissectors/packet-tcp.c	2004-10-26 16:04:45 -0400
@@ -4 +4 @@
  * $Id: packet-tcp.c 12259 2004-10-11 08:12:34Z sahlberg $
@@ -132,6 +132,7 @@
 static gint ett_tcp_flags = -1;
 static gint ett_tcp_options = -1;
 static gint ett_tcp_option_sack = -1;
+static gint ett_tcp_option_timestamp = -1;
 static gint ett_tcp_analysis = -1;
 static gint ett_tcp_analysis_faults = -1;
 static gint ett_tcp_segments = -1;
@@ -2205,18 +2206,71 @@ dissect_tcpopt_echo(const ip_tcp_opt *op
   tcp_info_append_uint(pinfo, "ECHO", echo);
 }
 
+static void
+dissect_tcpopt_timestamp_field(const proto_tree *ts_tree,
+    tvbuff_t *tvb, int offset,
+    const char *name, guint32 value)
+{
+  /* Always use correct unit symbols.  We assume a 10 ms tick.  */
+  /* " (up time if 100 Hz clock: 497 d + 02 h + 27 min + 52.95 s)" */
+  char up[60];
+  char *s = "";
+  const char sp[] = " + ";
+  guint32 r, q;
+
+  if (value) {
+    strcpy(up, " (up time if 100 Hz clock: ");
+    r = value;
+    q = r / 8640000;
+    if (q) {
+      r -= q * 8640000;
+      sprintf(up + strlen(up), "%u d", q);
+      s = sp;
+    }
+    q = r / 360000;
+    if (q) {
+      r -= q * 360000;
+      sprintf(up + strlen(up), "%s%u h", s, q);
+      s = sp;
+    }
+    q = r / 6000;
+    if (q) {
+      r -= q * 6000;
+      sprintf(up + strlen(up), "%s%u min", s, q);
+      s = sp;
+    }
+    q = r / 100;
+    r -= q * 100;
+    if (q || r)
+      sprintf(up + strlen(up), "%s%u.%02u s", s, q, r);
+    strcpy(up + strlen(up), ")");
+  } else
+    up[0] = '\0';
+
+  proto_tree_add_text(ts_tree, tvb, offset, 4,
+    "%s: %u%s", name, value, up);
+}
+
 static void
 dissect_tcpopt_timestamp(const ip_tcp_opt *optp, tvbuff_t *tvb,
     int offset, guint optlen, packet_info *pinfo, proto_tree *opt_tree)
 {
   guint32 tsv, tser;
+  proto_item *tf;
+  proto_tree *ts_tree;
 
   tsv = tvb_get_ntohl(tvb, offset + 2);
   tser = tvb_get_ntohl(tvb, offset + 6);
   proto_tree_add_boolean_hidden(opt_tree, hf_tcp_option_time_stamp, tvb, 
 				offset, optlen, TRUE);
-  proto_tree_add_text(opt_tree, tvb, offset,      optlen,
+  tf = proto_tree_add_text(opt_tree, tvb, offset, optlen,
     "%s: tsval %u, tsecr %u", optp->name, tsv, tser);
+  ts_tree = proto_item_add_subtree(tf, *optp->subtree_index);
+  dissect_tcpopt_timestamp_field(ts_tree, tvb, offset + 2,
+    "Timestamp Value", tsv);
+  /* XXX:  TSecr invalid unless ACK; we should warn.  */
+  dissect_tcpopt_timestamp_field(ts_tree, tvb, offset + 6,
+    "Timestamp Echo Reply", tser);
   tcp_info_append_uint(pinfo, "TSV", tsv);
   tcp_info_append_uint(pinfo, "TSER", tser);
 }
@@ -2303,7 +2357,7 @@ static const ip_tcp_opt tcpopts[] = {
   {
     TCPOPT_TIMESTAMP,
     "Time stamp",
-    NULL,
+    &ett_tcp_option_timestamp,
     FIXED_LENGTH,
     TCPOLEN_TIMESTAMP,
     dissect_tcpopt_timestamp
@@ -3223,6 +3277,7 @@ proto_register_tcp(void)
 		&ett_tcp_flags,
 		&ett_tcp_options,
 		&ett_tcp_option_sack,
+		&ett_tcp_option_timestamp,
 		&ett_tcp_analysis_faults,
 		&ett_tcp_analysis,
 		&ett_tcp_segments,

Follow-Ups:
- Re: [Ethereal-dev] patch to packet-tcp.c to display up times if timestamps
  - From: Guy Harris

References:
- [Ethereal-dev] patch to packet-tcp.c to display up times if timestamps
  - From: Charles Levert

Prev by Date: Re: [Ethereal-dev] Exception in pdml
Next by Date: RE: [Ethereal-dev] Transform "H323 Conversations" to a more gener ic "VoIP Convesations"
Previous by thread: [Ethereal-dev] patch to packet-tcp.c to display up times if timestamps
Next by thread: Re: [Ethereal-dev] patch to packet-tcp.c to display up times if timestamps
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$