Wireshark-users: Re: [Wireshark-users] Nano Second Time format
From: "Ambika Tripathy" <ambika.tripathy@xxxxxxxxxxxxxxxx>
Date: Fri, 28 Aug 2009 16:41:05 +0530

Hi,

 

Thanks a lot for your comments. I found one bug in my application on magic number implementation. But after changing magic number all my pcap files are working fine.

 

My doubt was created by getting perfect time stamp by one of my application which logs timestamp as below which is quite perfect also it is coming when I view open the .pcap file in hex editor.

 

>> >24:08:2009::16:08:47.953366470 len:222
>> >24:08:2009::16:08:47.953407180 len:242
>> >24:08:2009::16:08:47.955344460 len:212
>> >24:08:2009::16:08:47.956347400 len:232
>> >24:08:2009::16:08:47.957349920 len:272
>> >24:08:2009::16:08:47.958341610 len:202
>> >24:08:2009::16:08:47.959355940 len:262
>> >24:08:2009::16:08:47.961338370 len:192

 

I found the file I have attached in last mail was corrupted when I exported few packets from a big .pcap file and hence the invalid timestamp resulted. I strongly believe there is a bug in wire shark for that. Way to reproduce is first select few packets from by using “ctrl+m” and the save as those mark packets, then the resulting file will be the file I have attached.

 

Br,

Ambika

 


From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of M Holt
Sent: 28 August 2009 16:06
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Nano Second Time format

 

Sorry if this is a silly question, but how are you viewing the time fields in hex?

On Thu, Aug 27, 2009 at 5:50 PM, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:

Is it a *standard* PCAP file? If so, both Wireshark (and libpcap/winpcap) assume that the timestamps are in sec/usec format, even if u actually saved nanoseconds in the "usec" part. The magic number for a file with nanosecond timestamps is different than the standard one, 0xa1b2c3d4

 

In any case, I had look at the nano_demo.pcap file, and the timestamps do not make any sense:

 

pkt     tv_sec            tv_usec (nanoseconds)

1     0x4a926db7          0xfffe39d3

2     0x4a926db7          0xfffe6db7

3     0x4a926db7          0x001c6858

 

First of all, 0xfffe39d3 = 4,294,851,027 which is greater that 1,000,000

Then, the timestamp of the third packet seems to go back in time.

 

Did u write the code creating these capture files?

 

Have a nice day

GV

----- Original Message -----

 

From: M Holt

Sent: Wednesday, August 26, 2009 7:36 PM

Subject: Re: [Wireshark-users] Nano Second Time format

 

I tried the capture in 1.07 and 1.2.1, and got the same results.
I have used both Windows and Ubuntu 9.04 on a 32 bit system to view the file.
I did some google searches and I am not able to find anything else on the issue.

So, not much help, but I am *guessing* that the problem is in the capture.
Unfortunately, I couldn't begin to say where.

On Mon, Aug 24, 2009 at 10:14 AM, Ambika Pr. Tripathy <tripaam@xxxxxxxxxx> wrote:

I got this capture from my accelerator card, that i am using for monitoring
data capture which supports nano second time stamp. but the problem is here
when i used winpcap lib functions to parse the packets it is showing perfect
time stamp as per expected in the log i have attached below. and the nano
second time and second time is perfectly calculated by card that i watch
from the capture file using the winpcap api.

As per my knowledge, wireshark is modifying the time to system time, and
then put the fist packet arrival time t0 0.000000000 in display and then
so on.

is the problem is in wireshark or in my capture file???

the system i am using is ubutnu9.04, 64bit server.

br,
Ambika



>-- Original Message --
>Date: Mon, 24 Aug 2009 07:11:50 -0700
>From: M Holt <m.iostreams@xxxxxxxxx>
>To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
>Subject: Re: [Wireshark-users] Nano Second Time format
>Reply-To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
>
>
>Doing a google search for "Arrival Time: Fractional second -1430307000
is
>invalid, the valid range is 0-1000000000".
>It looks like it might be a bug in libpcap - where did you get the capture?
>
>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530667
>
>Not sure if that helps...
>
>On Mon, Aug 24, 2009 at 5:36 AM, <j.snelders@xxxxxxxxxx> wrote:
>
>> Hi Ambika,
>>
>> This is what Wireshark/TShark shows:
>> $ tshark -r nano_demo.pcap -T fields -e frame.number -e frame.time -e
>> frame.time_delta
>> -e frame.len -E header=y
>> frame.number    frame.time      frame.time_delta        frame.len
>> 1       Aug 24, 2009 12:38:47.-11626900 0.000000000     222
>> 2       Aug 24, 2009 12:38:47.-75559000 0.040710000     242
>> 3       Aug 24, 2009 12:38:47.186172000 0.1937279000    212
>> 4       Aug 24, 2009 12:38:47.-14303070 0.1002940296    232
>> 5       Aug 24, 2009 12:38:47.-42778700 0.1002520000    272
>> 6       Aug 24, 2009 12:38:47.563902000 0.991689000     202
>> 7       Aug 24, 2009 12:38:47.157823200 0.1014330000    262
>> 8       Aug 24, 2009 12:38:47.-73430400 0.1982431296    192
>>
>> I have no idea why Wireshark shows invalid frame times.
>> Expert Message: Arrival Time: Fractional second out of range (0-1000000000)
>>
>> Anyone else does?
>>
>> Best regards
>> Joan
>>
>>
>> On Mon, 24 Aug 2009 16:31:22 +0530 Ambika Pr. Tripathy wrote:
>> >Hi Joan,
>> >
>> >Thanks for your replay. I can open the file without any error. But the
>> time
>> >stamp column shows negative values for some rows. But the nano second
>and
>> >second format is perfect in my file used by one of my application .
>> >
>> >like my application shows the time as
>> >24:08:2009::16:08:47.953366470 len:222
>> >24:08:2009::16:08:47.953407180 len:242
>> >24:08:2009::16:08:47.955344460 len:212
>> >24:08:2009::16:08:47.956347400 len:232
>> >24:08:2009::16:08:47.957349920 len:272
>> >24:08:2009::16:08:47.958341610 len:202
>> >24:08:2009::16:08:47.959355940 len:262
>> >24:08:2009::16:08:47.961338370 len:192
>> >
>> >
>> >where are the wireshark shows time stamp of these files as attached
with
>> >this mail.
>> >
>> >
>> >br,
>> >Ambika
>> >
>> >
>> >>-- Original Message --
>> >>Date: Mon, 24 Aug 2009 10:26:25 +0200
>> >>From: j.snelders@xxxxxxxxxx
>> >>To: "Community support list for Wireshark" <
>> wireshark-users@xxxxxxxxxxxxx>
>> >>Subject: Re: [Wireshark-users] Nano Second Time format
>> >>Reply-To: Community support list for Wireshark <
>> wireshark-users@xxxxxxxxxxxxx>
>> >>
>> >>
>> >>Hi Ambika,
>> >>
>> >>What is the problem?
>> >>Can't you open the capture file?
>> >>Do you get een error message?
>> >>
>> >>Don't you see the nanoseconds?
>> >>Go to View -> Time Display Format -> Select Nanoseconds: 0.123456789
>> >>
>> >>HTH
>> >>Joan
>> >>
>> >>On Mon, 24 Aug 2009 13:04:24 +0530 Ambika Tripathy wrote
>> >>>
>> >>>I am facing problem when opening one .pcap file with nano second time
>> >stamp
>> >>>in PCAP header using wireshark Version 1.1.3 (SVN Rev 27807). Is it
>> possible
>> >>>to open it using the same version or there is any other version which
>> >>>support the format.
>> >>>
>> >>>
>> >>>
>> >>>Thanks in advance for your response.
>> >>>
>> >>>
>> >>>
>> >>>Br,
>> >>>
>> >>>Ambika Prasad Tripathy
>> >>>
>> >>>Call@ +91 94375 47730
>> >>
>> >>
>> >>
>> >>
>> >>
>>
>> >>___________________________________________________________________________
>> >>Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx
>> >
>> >>Archives:    http://www.wireshark.org/lists/wireshark-users
>> >>Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>> >>             mailto:wireshark-users-request@xxxxxxxxxxxxx
>> ?subject=unsubscribe
>> >
>> >Ambika Prasad Tripathy
>> >
>> >NetHawk Networks India Pvt. Ltd.
>> >Mob: +91-94375 47730
>> >mail: ambika.tripathy@xxxxxxxxxxxxxxxx
>> >web: www.nethawk.fi
>> >
>> >
>> >
>> >Bijlage: nano_demo.pcap
>> >
>>
>>
>>
>>
>>
>>
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>             mailto:wireshark-users-request@xxxxxxxxxxxxx
>> ?subject=unsubscribe
>>
>___________________________________________________________________________
>Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>Archives:    http://www.wireshark.org/lists/wireshark-users
>Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

Ambika Prasad Tripathy

NetHawk Networks India Pvt. Ltd.
Mob: +91-94375 47730
mail: ambika.tripathy@xxxxxxxxxxxxxxxx
web: www.nethawk.fi


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

 


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe