Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Custom formatter for 64bit field

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 11 Mar 2010 14:38:05 -0800
On Mar 11, 2010, at 2:24 PM, David Arnold wrote:

> I'm writing a dissector for a protocol that uses a 64-bit time field
> which is not in the format required for FT_ABSOLUTE_TIME.

What do you mean by "the format required for FT_ABSOLUTE_TIME"?  An FT_ABSOLUTE_TIME field doesn't have to be in the form of seconds/nanoseconds in the packet (there's no support for FT_ABSOLUTE_TIME in proto_tree_add_item()), it just has to be possible to convert the value, in whatever form it is in the packet, into a seconds-since-January-1-1970-midnight-UTC value and a nanoseconds-since-that-second value; is it possible to convert the time field into such a value?

(If it's an FT_ABSOLUTE_TIME field, it must represent a particular date and time, and thus the only reason why it couldn't be converted would be that:

	1) it's local time, not UTC - but we handle fields of that sort by assuming, for better or worse, that they're local time in the current time zone;

	2) it represents a time outside the range representable by seconds-since-January-1-1970-midnight-UTC with a 32-bit time_t;

	3) it needs resolution better than 1 nanosecond.)