Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 7048] pcap-ng Interface Statistics block writes wrong time

Date: Sun, 15 Apr 2012 02:19:28 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7048

--- Comment #4 from Jakub Zawadzki <darkjames-ws@xxxxxxxxxxxx> 2012-04-15 02:19:28 PDT ---
(In reply to comment #3)
> http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
> says for isb_starttime:
> "Time in which the capture started; time will be stored in two blocks of four
> bytes each. The format of the timestamp is the same already defined in the
> Enhanced Packet Block (Section 3.3)."
> This indicates some sort of two 4 bytes parts. Looking at Section 3.3:
> "Timestamp (High) and Timestamp (Low): high and low 32-bits of a 64-bit
> quantity representing the timestamp. The timestamp is a single 64-bit unsigned
> integer representing the number of units since 1/1/1970. The way to interpret
> this field is specified by the 'if_tsresol' option (see Figure 9) of the
> Interface Description block referenced by this packet. Please note that
> differently from the libpcap file format, timestamps are not saved as two
> 32-bit values accounting for the seconds and microseconds since 1/1/1970. They
> are saved as a single 64-bit quantity saved as two 32-bit words."
> 
> So I guess Jasper is right?
> 
> Am I missing something?

Ok, I can't read spec. You're both right :)
Actually I wonder why timestamp is written this way (Windows FILETIME awkward?)

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.