Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 7457] New: PCAPNG: timestamps get changed when tshark read

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Sun, 8 Jul 2012 18:58:01 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7457

           Summary: PCAPNG: timestamps get changed when tshark reads and
                    saves a pcang file
           Product: Wireshark
           Version: 1.8.0
          Platform: x86
        OS/Version: SuSE
            Status: NEW
          Severity: Critical
          Priority: Low
         Component: TShark
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: holychan@xxxxxxxxx


Build Information:
TShark 1.8.0 (SVN Rev Unknown from unknown)

Copyright 1998-2012 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.22.5, with libpcap, with libz 1.2.3, without
POSIX
capabilities, without SMI, without c-ares, without ADNS, without Lua, without
Python, with GnuTLS 2.4.1, with Gcrypt 1.4.1, without Kerberos, without GeoIP.

Running on Linux 2.6.33.7-rt29-0.5-rt, with locale en_US.UTF-8, with libpcap
version 1.3.0, with libz 1.2.3.

Built using gcc 4.6.3.

--
When you try to read a pcapng file and save it to a new pcapng file, the
timestamp was trimmed down! The decimal place is moved to the front and the
last digit is rounded off. The timestamp is no longer correct. Could anyone
please help how to correct it? Thanks a lot!

--------------------------------------------------
$ tshark -r capture.20120625.pcapng -t e | head -3
1 1340398414.509256500 Cisco_fe:3b:7d -> Spanning-tree-(for-bridges)_00 STP 53
RST. Root = 32768/20/00:05:73:fe:3b:81  Cost = 0  Port = 0x80b6
2 1340398416.805447300 Cisco_fe:3b:7d -> Spanning-tree-(for-bridges)_00 STP 53
RST. Root = 32768/20/00:05:73:fe:3b:81  Cost = 0  Port = 0x80b6
3 1340398417.391487800 Cisco_fe:3b:7d -> CDP/VTP/DTP/PAgP/UDLD UDLD 128 Device
ID: SSI1516004B  Port ID: Ethernet1/50/2enter code here`
--------------------------------------------------
$ tshark -F pcapng -r capture.20120625.pcapng -w testout.pcapng -c 3

--------------------------------------------------
$ tshark -r testout.pcapng -t e | head -3
1 134039841.450925600 Cisco_fe:3b:7d -> Spanning-tree-(for-bridges)_00 STP 53
RST. Root = 32768/20/00:05:73:fe:3b:81  Cost = 0  Port = 0x80b6
2 134039841.680544700 Cisco_fe:3b:7d -> Spanning-tree-(for-bridges)_00 STP 53
RST. Root = 32768/20/00:05:73:fe:3b:81  Cost = 0  Port = 0x80b6
3 134039841.739148700 Cisco_fe:3b:7d -> CDP/VTP/DTP/PAgP/UDLD UDLD 128 Device
ID: SSI1516004B  Port ID: Ethernet1/50/2
--------------------------------------------------

I checked that my if_tsresol field in the original IS block is 7. So
effectively the timestamp lost its least significant digit but the program
still wanted to maintain the original number of decimal places. As a result,
the decimal point is moved to the front by 1 digit.

I am using:

libpcap-1.3.0
wireshark-1.8.0 ( downloaded from http://www.wireshark.org/download.html )

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube