Ethereal-users: Re: [Ethereal-users] Problem with Elapsed Time reading Sniffer File
David_Long@xxxxxxxxxxxx wrote:
Comparing two captures of the same data taken on opposite sides of a WAN
cloud, one taken by Ethereal and one by Sniffer, I noticed discrepancies
in the timing when comparing the two using Ethereal.
Ethereal's code to get time stamps from Windows Sniffer files has some
problems; it's much improved in 0.10.9, but people have still seen problems.
We'd need a copy of one of the files with a problem in order to figure
out the cause. There are a couple of people who've been working on this
(James Fields and Kevin Johnson; they're the ones who contributed the
improvements in 0.10.9) - I don't know if they read the ethereal-users
list, but they do read the ethereal-dev list, so I'm CCing that list.
When Ethereal
0.10.9 (on WinXP-SP1) reads a file from Sniffer version 4.70.04 (on
Win2K-SP4), it reports the elapsed time compressed by a factor of about
3.6, i.e. a capture of 1 minute and 23.1 seconds on the Sniffer appears
only to be 23.2 seconds long in Ethereal. The compression is equal
throughout the capture, i.e. you can take any elapsed time in Ethereal,
multiply it by 3.6 and get the original elapsed time in Sniffer.
The improvements they contributed get the time stamp units from a field
in the file header, but that field isn't always present. In earlier
releases, before they'd figured out that the field in question had the
time stamp units, we'd tweaked a table that converted a unit
specification (a small integer) to the time stamp units to try to fix
problems; it might be that one of those tweaks
1) broke the handling of some capture files
and
2) wasn't necessary because the files the tweaks were done to fix had
the time stamp unit field in the file header
so we might have to re-tweak the time stamp units table, or it might be
that your files have the time stamp unit field but Ethereal isn't
recognizing that fact.
I have tried other Time column formats than the default, but with no
improvement.
That won't make a difference - the problem isn't the format, it's the
numbers themselves; changing the time column format just changes the way
the times are displayed, but the relative and delta times are just
computed from the absolute times, so if the absolute times are wrong,
the relative and delta times will also be wrong.