Wireshark · Wireshark-dev: Re: [Wireshark-dev] frame_data.abs

Wireshark-dev: Re: [Wireshark-dev] frame_data.abs_ts and pcap timestamp reference

From: Guy Harris <guy@xxxxxxxxxxxx>

Date: Wed, 9 Dec 2009 09:47:28 -0800


On Dec 9, 2009, at 6:32 AM, RUOFF LARS wrote:

Is frame_data.abs_ts /* Absolute timestamp */ given in UTC or local
time?


UTC.

Can someone give me a hint on where to search for the code that doesthe
conversion before display (if any)?


abs_time_to_str(), etc. in epan/to_str.c.

Do pcap files store timestamps in UTC or local time?

UTC. See, for example, the pcap-savefile man page in libpcap 1.0.0and later, or


	http://wiki.wireshark.org/Development/LibpcapFileFormat

If UTC, do they store the time zone?

In theory, yes. In practice, no. There is a time zone offset fieldin the file header, but no application (tcpdump, *thereal/*shark,etc.) has ever set it to anything other than 0, as far as I know (Iknow that libpcap, which is what most applications use to write thefiles, sets it to 0).

References:
- [Wireshark-dev] frame_data.abs_ts and pcap timestamp reference
  - From: RUOFF LARS

Prev by Date: [Wireshark-dev] buildbot failure in Wireshark (development) on OSX-10.5-ppc
Next by Date: [Wireshark-dev] radius dictionary -> segfault
Previous by thread: [Wireshark-dev] frame_data.abs_ts and pcap timestamp reference
Next by thread: [Wireshark-dev] radius dictionary -> segfault
Index(es):
- Date
- Thread