Ethereal-users: RE: [Ethereal-users] Ethereal time format anomaly with libpcap fileformat
I would agree with Guy on option A, since, I just tried to import the
Ethereal (tcpdump/libpcap) data to Sniffer directly (I don't do nice
management report, I'm only here to make traces!) and had the same
results.
Gene
-----Original Message-----
From: Guy Harris [mailto:guy@xxxxxxxxxxxx]
Sent: Monday, December 29, 2003 11:35 AM
To: Chris_Friedline@xxxxxxxxxxxxxxx
Cc: ethereal-users@xxxxxxxxxxxx
Subject: Re: [Ethereal-users] Ethereal time format anomaly with libpcap
fileformat
On Mon, Dec 29, 2003 at 02:22:11PM -0500,
Chris_Friedline@xxxxxxxxxxxxxxx wrote:
> Thoughts? Do I just need to convert everything to Sniffer before
> using EtherPeek or did I stumble upon something in Ethereal?
Time stamps in libpcap format are stored as seconds since January 1,
1970, 00:00:00 GMT, plus microseconds. DOS-based Sniffer files store
time stamps as local times.
I suspect that either
1) EtherPeek's code for handling libpcap-format captures is
broken and doesn't handle UNIX-style time stamps correctly
or
2) the time stamps are wrong on your server but the C library
functions Ethereal is using to process those time stamps is
compensating for that
and as I have no reason to believe that the C library functions would
compensate for that, I suspect the answer is 1). The ability to read
libpcap-format captures in EtherPeek might be a new feature, so perhaps
there are some glitches in it (although Wildpackets' ProConvert has
handled them for a while).
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users