Wireshark · Ethereal-dev: Re: [Ethereal-dev] Support for distributed sniffer format

["Bill Meier" <wmeier@xxxxxxxxxxx>]

Sake Blok wrote....

> I have taken a look at the trace myself and calculated the TpS to be
> 20000000.0 for this particular trace. If I also discard the start_timestamp
> like it has been done for other versions of the netxray format, then
> I get the proper results.
> 

OK

> On another trace, taken with Sniffer Portable, I see that the TpS is
> a factor 3 off, in the source I see the following:
> 
>  * XXX - the third item is 1193180.0, presumably because somebody found
>  * it gave the right answer for some captures, but 3 times that, i.e.
>  * 3579540.0, appears to give the right answer for some other captures.
>  * Some captures have realtick of 1193182, some have 3579545, and some
>  * have 1193000.  Most of those, in one set of captures somebody has,
>  * are wrong.
> 
> For my trace the 3579540.0 would be the correct value.
> Is it ok for me to include value 3579540.0 in the patch I'm 
> about to make? Or would that result in a flip-flopping value?
> 
> Might these timeunit indexes be different for different major/minor 
> versions of this file-format? 

Certainly a possibility... Or perhaps something else is different to 
determine the TpS to be used. In any case, as the comment in the source 
indicates, there are captures for which 1193182 is the correct TpS value for 
this captype/timeunit and so the value should not be changed.

Can you provide the capture so I can compare it to other captures to see 
whether the versions are different or whether something else is different ?


> That leaves me with my initial question, did anyone try to get the
> specs of the file-format from Network General?

(The short answer: I don't know so I'll leave this to others on the list to 
answer).

Bill Meier