Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 7048] pcap-ng Interface Statistics block writes wrong time

Date: Sun, 15 Apr 2012 02:00:39 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7048

Michael Tüxen <tuexen@xxxxxxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
                 CC|                            |tuexen@xxxxxxxxxxxxx
         Resolution|INVALID                     |

--- Comment #3 from Michael Tüxen <tuexen@xxxxxxxxxxxxx> 2012-04-15 02:00:39 PDT ---
Jakub,

http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
says for isb_starttime:
"Time in which the capture started; time will be stored in two blocks of four
bytes each. The format of the timestamp is the same already defined in the
Enhanced Packet Block (Section 3.3)."
This indicates some sort of two 4 bytes parts. Looking at Section 3.3:
"Timestamp (High) and Timestamp (Low): high and low 32-bits of a 64-bit
quantity representing the timestamp. The timestamp is a single 64-bit unsigned
integer representing the number of units since 1/1/1970. The way to interpret
this field is specified by the 'if_tsresol' option (see Figure 9) of the
Interface Description block referenced by this packet. Please note that
differently from the libpcap file format, timestamps are not saved as two
32-bit values accounting for the seconds and microseconds since 1/1/1970. They
are saved as a single 64-bit quantity saved as two 32-bit words."

So I guess Jasper is right?

Am I missing something?

Best regards
Michael

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.