The explanation for those three timestamp values is actually pretty simple: frame timestamps are always saved as GMT time. This is one hour earlier than the first example above, so we have a third timestamp value that isn’t the same as the others. The 010 editor template for PCAP file decodes the frame timestamp to 12:09:17, which together with the microsecond value being 531491 gives us 12:09:17.531491. The first part is stored in seconds since Janu00:00:00 GMT, also known as UN*X time. I prefer the “ 010 Editor” because it has parsing templates which can interpret the structure of binary files in the lower pane (really helpful if you’re coding/parsing PCAP/PCAPng files):Īs you can see, the timestamp of the first frame is stored as hexadecimal 0圆D7D2D53, with the microseconds in a second value being 0x231c0800. So what happened? Let’s do something crazy and look at the capture file in a hex editor. Opening the exact same file on another system shows this instead, now with 04:09 (am) as the time: Just sayin’ 😉 ) on the 22nd of March 2014. Okay, a capture taken at 13:09 (that’s 1:09pm for my friends in the US. Let me show you an example (I use three timestamp columns by default, showing “Delta time displayed”, “Relative time” and “Absolute date and time” all at the same time instead of the single relative time column that is the default): But even if you’re not coding stuff like that you may run into trouble with timestamps, even when simply opening a capture file.
#TIME STAMP WIRESHARK PCAP CODE#
If you ever try to write code that reads multiple capture file formats you’ll probably curse about the various methods of storing them (I know I did, and sometimes still do), and it can be a complex task to get your program turn all of them into correct values. Let’s go.Ībsolute timestamps seem pretty simple if you look at them in Wireshark, but let me tell you, they aren’t. Hm, wait… so now I write a blog post that is even longer?! Nevermind. It also means that I can point Uwe at this post instead of writing a lengthy email. And in the end, it looked like a good topic for a blog post, so here it is. I remembered that I had read something about this issue before, so I told him I’d investigate. He was teaching a 5 day class in Hamburg at the time, and had had a student ask about a peculiar problem with frame/packet timestamps. Last week Uwe, one of the instructors of the Wireshark class I created for FastLane, gave me a call in the evening.
0 kommentar(er)
