On Mon, Mar 10, 2003 at 04:50:03PM +0100, Jonas Harvard wrote:
> How do I translate timestamps pertaining to each packet, from the raw
> data generated by tethereal?
By "raw data generated by Tethereal" do you mean the output writted when
you run Tethereal with the "-w" flag?
If so, then it's just a libpcap-format capture, and you can use
libpcap/WinPcap to read them (i.e., you don't have to write your own
code to understand the file format - just let libpcap do it for you).
This means that you'll call "pcap_open_offline()" to open the file, and
then call "pcap_loop()" to read through the file, and pass to
"pcap_loop()" a pointer to a callback routine which is called for each
packet in the file.
To quote the current CVS version of the libpcap man page:
pcap_dispatch() is used to collect and process packets. cnt
specifies the maximum number of packets to process before
returning. This is not a minimum number; when reading a
live capture, only one bufferful of packets is read at a
time, so fewer than cnt packets may be processed. A cnt of
-1 processes all the packets received in one buffer when
reading a live capture, or all the packets in the file when
reading a ``savefile''. callback specifies a routine to be
called with three arguments: a u_char pointer which is
passed in from pcap_dispatch(), a const struct pcap_pkthdr
pointer to a structure with the following members:
ts a struct timeval containing the time when the
packet was captured
caplen
a bpf_u_int32 giving the number of bytes of the
packet that are available from the capture
len a bpf_u_int32 giving the length of the packet, in
bytes (which might be more than the number of
bytes available from the capture, if the length of
the packet is larger than the maximum number of
bytes to capture)
and a const u_char pointer to the first caplen (as given in
the struct pcap_pkthdr a pointer to which is passed to the
callback routine) bytes of data from the packet (which won't
necessarily be the entire packet; to capture the entire
packet, you will have to provide a value for snaplen in your
call to pcap_open_live() that is sufficiently large to get
all of the packet's data - a value of 65535 should be suffi-
cient on most if not all networks).
...
pcap_loop() is similar to pcap_dispatch() except it keeps
reading packets until cnt packets are processed or an error
occurs. It does not return when live read timeouts occur.
Rather, specifying a non-zero read timeout to
pcap_open_live() and then calling pcap_dispatch() allows the
reception and processing of any packets that arrive when the
timeout occurs. A negative cnt causes pcap_loop() to loop
forever (or at least until an error occurs). A negative
number is returned on an error; 0 is returned if cnt is
exhausted.
so the time stamp is supplied as part of the "struct pcap_pkthdr" a
pointer to which is passed to your callback routine.
A "struct timeval" contains two members: "tv_sec", which is the seconds
portion of the time stamp, in seconds since January 1, 1970, 00:00:00
GMT (GMT, *NOT* local time!), and "tv_usec", which is the microseconds
portion of the time stamp.
To display that time stamp, you'd use "localtime()" (available on all
UNIX systems, as well as in the C library for Windows) to convert the
"tv_sec" to a "struct tm", and print out the members of the "struct tm".
You'd then display the microseconds portion right after the seconds
portion of the time stamp, with a "." or "," between them, and with the
appropriate number of leading zeroes.
