|
Hi, I need some guidance on the time zone settings in a PCAP-NG file. I have a pcapng file captured in the UK on 12th October 2016. That means that the time zone at the time of capture was GMT +1. There is a trace entry in this trace that shows in Wireshark
today as 15:40:31.541142. A screenshot taken at the time of the trace entry shows a clock time of 15:40.
If I look inside the pcapng file with a hex editor, there is no if_tzone option set in the IDB. The EPB for the trace entry I’ve referred to above has: ·
Timezone High – 0xAB3E0500 ·
Timezone Low – 0xC0B1FE22 If there is no time reference setting in the trace file, how does Wireshark know that the file was recorded in GMT +1 timezone. This isn’t just idle curiosity. I’ve written a trace format converter that converts IIS Logs into pcapng files. IIS logs are recorded with GMT times by default. The converter works OK but the timestamps in the packet list of the resulting
converted file shows as though I am looking at GMT (see image below). So I have an IIS log entry that matches the network trace entry above but shows as 14:40:31.
I’ve tried coding for the if_tzone IDB option and setting it to zero (GMT) but it makes no difference. How do I get Wireshark to convert the time of a GMT trace entry to local time? Thanks and regards…Paul ______________________________________________________________________ This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Advance Seven Ltd. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. Advance Seven Ltd. Registered in England & Wales numbered 2373877 at Endeavour House, Coopers End Lane, Stansted, Essex CM24 1SJ ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ |
- Follow-Ups:
- Re: [Wireshark-dev] Time Zone Setting in a PCAP-NG file
- From: Guy Harris
- Re: [Wireshark-dev] Time Zone Setting in a PCAP-NG file
- Prev by Date: Re: [Wireshark-dev] Remove our bundled crypto library (in favor of Libgcrypt)?
- Next by Date: [Wireshark-dev] Preferences dialog width - GTK interface
- Previous by thread: Re: [Wireshark-dev] Remove our bundled crypto library (in favor of Libgcrypt)?
- Next by thread: Re: [Wireshark-dev] Time Zone Setting in a PCAP-NG file
- Index(es):