-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Attached is a patch for the ethereal (version 0.10.10-SVN-14026) that will fix
the SEBEK protocol dissector. Also, attached is a compressed, TCPdump file
to demonstrate the issue and verify the fix.
Brief description of the problem:
The fractional portion of the time is displayed incorrectly by the ethereal
SEBEK protocol decoder.
Long Explanation:
The 4 byte section of the packet generated by the Sebek client, both windows
and Linux, is intended to represent a value measured in microseconds. The
time structure used in ethereal (nstime_t, see nstime.h), has members that
store the time in seconds (time_t secs) and nanoseconds (int nsec). The
ethereal decoder assigns the value present in the SEBEK portion of the packet
to the nsec member of the ethereal nstime_t struct. The result is the
fractional portion of the time displayed by the ethereal decoder is off by a
factor of 1000.
The Fix (packet-sebek.c):
The attached patch multiplies the value in the packet by 1000 before assigning
it to the nsec member.
- --
David B. Koconis, Ph.D. Senior Research Engineer
dbk@xxxxxxxxxxxxxxxxxx Institute for Security Technology Studies
phone & fax (401) 245-7917 Dartmouth College, Hinman Box 6226
Hanover, NH 03755
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFCWoXJ+ko/bObhq/0RAtgOAKC4gxHjqcS5yXHU1wuSDl7GWHvFlQCgtsUR
sPh+wRrxBFPFTaNL9sSYyd4=
=e82Y
-----END PGP SIGNATURE-----
Attachment:
W2K_startup_until_login.dmp.gz
Description: GNU Zip compressed data
--- packet-sebek.c 2005-04-07 09:55:10.000000000 -0400
+++ new-packet-sebek.c 2005-04-11 09:47:16.873540864 -0400
@@ -127,7 +127,8 @@
offset += 4;
ts.secs = tvb_get_ntohl(tvb, offset);
- ts.nsecs = tvb_get_ntohl(tvb, offset+4);
+ /* Sebek client time struct is seconds and microseconds. nstime_t is seconds and nanoseconds */
+ ts.nsecs = tvb_get_ntohl(tvb, offset+4)*1000;
proto_tree_add_time(sebek_tree, hf_sebek_time, tvb, offset, 8, &ts);
offset += 8;
