Wireshark · Ethereal-dev: [Ethereal-dev] (Fwd) Re: Sniffer timestamps displayed incorrectly: Informatio

["Bill Meier" <wmeier@xxxxxxxxxxx>]

As I (and at least one other) have noted in previous postings to ethereal-
users,  distributed sniffer .cap files (sniffer v4.10 and greater ?)
sometimes display dates/times incorrectly.

Some debugging has indicated that the files which display incorrectly (at
least the ones I have) display correctly if:

1.  Ethereal uses a tick size of .8 usec (that is if the timehi/timelo
values in the record headers are divided by 1250000 to get seconds.

2. Ethereal ignores the timehi/timelo values in the file header (i.e.: 0
used as value).


I've determined the above by taking sniffer display of absolute and delta
times from a capture and comparing them to the values stored in the capture
file.

Shown below are two examples with sniffer output and Ethereal debug dumps
for the first  one or two packets for:

1. a "2.002" capture in which the tick size is 1 usec
   ('timeunit' in file header is 0)

2. a "2.002" capture in which the tick size is .8 usec
   ('timeunit' in file header is 2)

(Fow what it's worth: both of these capures are of 100 Mbits ordinary
ethernet (POE?). I'm not actually familiar with the exact details of the
sniffer hardware used to make the captures).

Although I've kludged a version of netxray.c to be able to properly show
the times for .cap files with a .8 usec tick size, I'm not altogether sure
how to do a fix which will work for all different variations of sniffer
capture files especially as the value Tps[2] in netxray.c already has a
(different) 'ticks per second' value. So I'm submiiting this information in
the hope someone with more knowledge in this area can make the actual fix.

It would also appear that some work may be required in the code which
writes netxray format files to allow for this new tick size.

Bill Meier

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

Example #1:
   .cap file header version  = "2.002";
   .cap file header timeunit = 0:  [1 tick = 1 usec]

Sniifer Version: Unknown;
Ethereal 0.9.13 displays capture AOK

==========================================================

Sniffer Output Extract (with certain details removed)
-----------------------------------------------------

- - - - - - - - - - - - - - - - - - - - Frame 1 - - - - - - - - - - - - - -
- - - - - -
 Frame Status Source Address    Dest. Address      Size Rel. Time     Delta
Time    Abs. Time              Summary

     1 M      ............      ..............      100 0:00:00.000
0.000.000     01/24/2003 09:20:20 AM TCP: ......

DLC:  ----- DLC Header -----
      DLC:
      DLC:  Frame 1 arrived at  09:20:20.4631; frame size is 100 (0064 hex)
bytes.



File Header from Ethereal debug display
---------------------------------------

-	hdr	{...}
+	version	0x0012ebe4 "002.002"
	start_time	1043418000     ;;  -->  date/time: Fri Jan 24 09:20:00 2003 EST
	nframes	10
	xxx	1459
	start_offset	128
	end_offset	1459
-	xxy	0x0012ec00
	[0]	2275396
	[1]	0
	[2]	1459
	network	0
-	xxz	0x0012ec0e ""
	[0]	0 ''
	[1]	0 ''
	timeunit	0 ''           ;; means 1 tick = 1 microsec
-	xxa	0x0012ec11 ""
	[0]	0 ''
	[1]	0 ''
	[2]	0 ''
	timelo	0
	timehi	0
	linespeed	100000000
-	xxb	0x0012ec20 ""
	[0]	0 ''
	[1]	0 ''
	[2]	0 ''
	[3]	0 ''
	[4]	1 ''
	[5]	0 ''
	[6]	0 ''
	[7]	0 ''
	[8]	20 ''
	[9]	0 ''
	[10]	4 ''
	[11]	0 ''
	[12]	222 'Þ'
	[13]	52 '4'
	[14]	18 ''
	[15]	0 ''
	[16]	0 ''
	[17]	0 ''
	[18]	0 ''
	[19]	0 ''
	[20]	3 ''
	[21]	0 ''
	[22]	1 ''
	[23]	0 ''
	[24]	32 ' '
	[25]	3 ''
	[26]	0 ''
	[27]	0 ''
	[28]	1 ''
	[29]	0 ''
	[30]	0 ''
	[31]	0 ''
	[32]	0 ''
	[33]	0 ''
	[34]	0 ''
	[35]	0 ''
	[36]	0 ''
	[37]	0 ''
	[38]	0 ''
	[39]	0 ''
	[40]	0 ''
	[41]	0 ''
	[42]	0 ''
	[43]	0 ''
	[44]	0 ''
	[45]	0 ''
	[46]	0 ''
	[47]	0 ''
	[48]	0 ''
	[49]	0 ''
	[50]	0 ''
	[51]	0 ''
	[52]	0 ''
	[53]	0 ''
	[54]	0 ''
	[55]	0 ''
	[56]	0 ''
	[57]	0 ''
	[58]	0 ''
	[59]	0 ''
	[60]	1 ''
	[61]	1 ''
	[62]	5 ''
	[63]	0 ''

First Data Record Header from Ethereal Debug Display
----------------------------------------------------

-	hdr_2_x	{...}
	timelo	20463135			;; 20.463135 secs after "start-time"
	timehi	0
	orig_len	104
	incl_len	104
-	xxx	0x0012dfec ""
	[0]	0 ''
	[1]	0 ''
	[2]	255 'ÿ'
	[3]	255 'ÿ'
	[4]	0 ''
	[5]	0 ''
	[6]	0 ''
	[7]	0 ''
	[8]	0 ''
	[9]	0 ''
	[10]	0 ''
	[11]	0 ''
	[12]	0 ''
	[13]	0 ''
	[14]	0 ''
	[15]	0 ''
	[16]	0 ''
	[17]	0 ''
	[18]	0 ''
	[19]	0 ''
	[20]	0 ''
	[21]	0 ''
	[22]	0 ''
	[23]	0 ''
	[24]	0 ''
	[25]	0 ''
	[26]	0 ''
	[27]	0 ''

===============
Example #2:
   .cap file header version  = "2.002"
   .cap file header timeunit = 2
Sniifer Version: 4.10 ?;

Ethereal 0.9.13 displays date/time NG

Displays date/time correctly if:

1) timeunit = 1250000
2) timelo/timehi in file header ignored (i.e. 0 used)

==============================================================


Sniffer Output Extract (with certain details removed)
----------------------------------------------------

- - - - - - - - - - - - - - - - - - - - Frame 1 - - - - - - - - - - - - - -
- - - - - -
 Frame Status Source Address    Dest. Address      Size Rel. Time     Delta
Time    Abs. Time              Summary

     1 M      .............     ............         66 0:00:00.000
0.000.000     06/06/2003 09:37:16 AM TCP: ...........

DLC:  ----- DLC Header -----
      DLC:
      DLC:  Frame 1 arrived at  09:37:16.0154; frame size is 66 (0042 hex)
bytes.


- - - - - - - - - - - - - - - - - - - - Frame 2 - - - - - - - - - - - - - -
- - - - - -
 Frame Status Source Address    Dest. Address      Size Rel. Time     Delta
Time    Abs. Time              Summary

     2       ...............    ................    316 0:00:00.000
0.000.329     06/06/2003 09:37:16 AM TCP: ............

DLC:  ----- DLC Header -----
      DLC:
      DLC:  Frame 2 arrived at  09:37:16.0158; frame size is 316 (013C hex)
bytes.


File Header from Ethereal debug display
---------------------------------------

-	hdr	{...}
+	version	0x0012ebe4 "002.002"
	start_time	1054906636          ;; -->  date/time: Fri Jun 06 09:37:16 2003
EDT
	nframes	20701
	xxx	8388608
	start_offset	128
	end_offset	7003354
-	xxy	0x0012ec00
	[0]	6966049
	[1]	0
	[2]	7003354
	network	0
-	xxz	0x0012ec0e ""
	[0]	0 ''
	[1]	0 ''
	timeunit	2 ''			;; seems to mean tick = .8 usecs
-	xxa	0x0012ec11 ""
	[0]	0 ''
	[1]	0 ''
	[2]	0 ''
	timelo	4095060683        ;; ?? Note that timelo, timehi in data hdrs
	timehi	5400              ;; ??   is *not* "based" upon this number
	linespeed	100000000
-	xxb	0x0012ec20 ""
	[0]	0 ''
	[1]	0 ''
	[2]	0 ''
	[3]	0 ''
	[4]	1 ''
	[5]	0 ''
	[6]	0 ''
	[7]	0 ''
	[8]	20 ''
	[9]	0 ''
	[10]	4 ''
	[11]	0 ''
	[12]	222 'Þ'
	[13]	52 '4'
	[14]	18 ''
	[15]	0 ''
	[16]	0 ''
	[17]	0 ''
	[18]	0 ''
	[19]	0 ''
	[20]	3 ''
	[21]	0 ''
	[22]	1 ''
	[23]	0 ''
	[24]	32 ' '
	[25]	3 ''
	[26]	0 ''
	[27]	0 ''
	[28]	0 ''
	[29]	0 ''
	[30]	0 ''
	[31]	0 ''
	[32]	0 ''
	[33]	0 ''
	[34]	0 ''
	[35]	0 ''
	[36]	0 ''
	[37]	0 ''
	[38]	0 ''
	[39]	0 ''
	[40]	0 ''
	[41]	0 ''
	[42]	0 ''
	[43]	0 ''
	[44]	0 ''
	[45]	0 ''
	[46]	0 ''
	[47]	0 ''
	[48]	0 ''
	[49]	0 ''
	[50]	0 ''
	[51]	0 ''
	[52]	0 ''
	[53]	0 ''
	[54]	0 ''
	[55]	0 ''
	[56]	0 ''
	[57]	0 ''
	[58]	0 ''
	[59]	0 ''
	[60]	1 ''
	[61]	1 ''
	[62]	5 ''
	[63]	0 ''

First Data Record Header from Ethereal Debug Display
----------------------------------------------------


-	hdr_2_x	{...}
	timelo	19289			;; = .015431 usecs using timeunit=1250000
	timehi	0
	orig_len	70
	incl_len	70
-	xxx	0x0012dfec ""
	[0]	0 ''
	[1]	0 ''
	[2]	255 'ÿ'
	[3]	255 'ÿ'
	[4]	0 ''
	[5]	0 ''
	[6]	0 ''
	[7]	0 ''
	[8]	0 ''
	[9]	0 ''
	[10]	0 ''
	[11]	0 ''
	[12]	0 ''
	[13]	0 ''
	[14]	0 ''
	[15]	0 ''
	[16]	0 ''
	[17]	0 ''
	[18]	0 ''
	[19]	0 ''
	[20]	0 ''
	[21]	0 ''
	[22]	0 ''
	[23]	0 ''
	[24]	0 ''
	[25]	0 ''
	[26]	0 ''
	[27]	0 ''

Second Data Record Header from Ethereal Debug Display
----------------------------------------------------

-	hdr_2_x	{...}
	timelo	19700          ;; = .015760 usecs [Note delta = .000329 from last
rec matches sniffer display]
	timehi	0
	orig_len	320
	incl_len	320
+	xxx	0x0012dfec ""


-------------------------------------------------------------------------
.cap file Hex Dump for Example #2: file header + 2 data record headers
(matches above debug dump)

File Hdr

 0000 ¦ 58 43 50 00 30 30 32 2E 30 30 32 00 0C 99 E0 3E ¦ XCP.002.002..Öa>
 0010 ¦ DD 50 00 00 00 00 80 00 80 00 00 00 DA DC 6A 00 ¦ ¦P....Ç.Ç...+_j.
 0020 ¦ 21 4B 6A 00 00 00 00 00 DA DC 6A 00 00 00 00 00 ¦ !Kj.....+_j.....
 0030 ¦ 02 00 00 00 CB AA 15 F4 18 15 00 00 00 E1 F5 05 ¦ ....-¬.(.....ß).
 0040 ¦ 00 00 00 00 01 00 00 00 14 00 04 00 DE 34 12 00 ¦ ............¦4..
 0050 ¦ 00 00 00 00 03 00 01 00 20 03 00 00 00 00 00 00 ¦ ........ .......
 0060 ¦ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ¦ ................
 0070 ¦ 00 00 00 00 00 00 00 00 00 00 00 00 01 01 05 00 ¦ ................

Data Rec #1 Hdr

 0080 ¦ 59 4B 00 00 00 00 00 00 46 00 46 00 00 00 FF FF ¦ YK......F.F...  
 0090 ¦ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ¦ ................
 00A0 ¦ 00 00 00 00 00 00 00 00

Data Rec #1 Captured Packet

<snip>

Data Rec #2 Hdr
                                                  F4 4C ¦ .......!+.,à+h(L
 00F0 ¦ 00 00 00 00 00 00 40 01 40 01 00 00 FF FF 00 00 ¦ ......@.@...  ..
 0100 ¦ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ¦ ................
 0110 ¦ 00 00 00 00 00 00

<snip>