Wireshark-dev: Re: [Wireshark-dev] Set capture to TZ blah?
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Richard Sharpe <realrichardsharpe@xxxxxxxxx>
Date: Mon, 16 Mar 2015 11:41:27 -0700
On Mon, Mar 16, 2015 at 12:20 AM, Michal Labedzki
<michal.labedzki@xxxxxxxxx> wrote:
> I know this issue. I use "View -> Timeshift -> Shift all packet
> (+8:00:00)" what add 8 hours to all packets timestamp. Of course you
> must know what the time difference between logs, but to this day it
> works for me.

Hmmm, for the version of the UI I am using that is under
Edit->TimeShift ... not really an intuitive place ...

> Is TZ (and DST) saved in pcapng? I this it should. Like machine endianess.
>
> On 14 March 2015 at 21:07, Guy Harris <guy@xxxxxxxxxxxx> wrote:
>>
>> On Mar 14, 2015, at 12:34 PM, Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> wrote:
>>
>>> On 03/14/2015 02:16 PM, Guy Harris wrote:
>>>>
>>>> On Mar 14, 2015, at 8:00 AM, Niels de Vos <ndevos@xxxxxxxxxx> wrote:
>>>>
>>>>> When I have captures and logs that do not match the timezone, I use the
>>>>> TZ environment variable to read the captures in the timezone of the
>>>>> logs, like:
>>>>>
>>>>>    $ TZ=America/New_York tshark -r /path/to/capture.pcap.gz ....
>>>>>
>>>>> or
>>>>>
>>>>>    $ TZ=America/New_York wireshark /path/to/capture.pcap.gz
>>>>
>>>> That would work on systems using the IANA tz database (and using the new tz naming scheme; I'm not sure whether Solaris does), so it'd work on, at minimum, most if not all Linux distributions, *BSD, and OS X.
>>>>
>>>> However, it doesn't work on, for example, Windows, which doesn't use the IANA tz database.
>>>
>>> (I think) the only thing that doesn't work on Windows is specifying the timezone in that format.  At least according to:
>>>
>>> https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2629#c4
>>>
>>> you can still set the TZ variable on Windows (in a command shell) and Wireshark will use it.  Presumably you just need to know the right format.
>>
>>         https://msdn.microsoft.com/en-us/library/90s5c885.aspx
>>
>>> (Personally I'm more used to doing things like TZ=PDT
>>
>>         $ sw_vers
>>         ProductName:    Mac OS X
>>         ProductVersion: 10.8.5
>>         BuildVersion:   12F2501
>>         $ date
>>         Sat Mar 14 12:42:50 PDT 2015
>>         $ TZ=PDT date
>>         Sat Mar 14 19:41:29 UTC 2015
>>
>> Perhaps you meant "TZ=PST8PDT"?  That syntax dates back at least to System III:
>>
>>         http://bitsavers.org/pdf/att/unix/System_III/UNIX_Users_Manual_Release_3_Jun80.pdf
>>
>> (see the ENVIRON(7) page near the end), but wasn't used in V7 or BSD.  POSIX went with an extended version of that syntax:
>>
>>         http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html
>>
>> but Microsoft's doesn't support all the POSIX capabilities - in particular, the documentation does not claim that you can specify the *transition dates/times for daylight savings time/summer time*, so presumably it assumes the same rules as for your locale, which are likely to be wrong if the time zone setting you want for the capture is for a country other than, if you're in the US or Canada, the US or Canada or, if you're in Europe, another European country.
>>
>>> than these fancy new-fangled TZ names;
>>
>> "New-fangled" presumably meaning "prior to 1986", when the tz database was first introduced.  The advantage of the Olson/IANA names is that the names don't themselves incorporate the transition rules, the way the POSIX strings do, but do *identify* them, which the old-style UNIX TZ and Microsoft TZ settings don't.
>> ___________________________________________________________________________
>> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-dev
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>>              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>
>
>
> --
>
> Pozdrawiam / Best regards
> -------------------------------------------------------------------------------------------------------------
> Michał Łabędzki, Software Engineer
> Tieto Corporation
>
> Product Development Services
>
> http://www.tieto.com / http://www.tieto.pl
> ---
> ASCII: Michal Labedzki
> location: Swobodna 1 Street, 50-088 Wrocław, Poland
> room: 5.01 (desk next to 5.08)
> ---
> Please note: The information contained in this message may be legally
> privileged and confidential and protected from disclosure. If the
> reader of this message is not the intended recipient, you are hereby
> notified that any unauthorised use, distribution or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, please notify us immediately by replying to
> the message and deleting it from your computer. Thank You.
> ---
> Please consider the environment before printing this e-mail.
> ---
> Tieto Poland spółka z ograniczoną odpowiedzialnością z siedzibą w
> Szczecinie, ul. Malczewskiego 26. Zarejestrowana w Sądzie Rejonowym
> Szczecin-Centrum w Szczecinie, XIII Wydział Gospodarczy Krajowego
> Rejestru Sądowego pod numerem 0000124858. NIP: 8542085557. REGON:
> 812023656. Kapitał zakładowy: 4 271500 PLN
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe



-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)