Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Time Display issues opening traces

From: Chris Alton <enfiniti27@xxxxxxxxxxx>
Date: Fri, 10 Jun 2011 16:48:11 -0400
Thanks a lot for that explanation Guy that gives me everything I needed.  I figured that was probably the case but I swore I remembered Wireshark (or Ethereal) not doing that in the past but I missed that it seems :).

I guess I'll have to wait for pcap-ng to become more prevalent before I'll get my wish.



> From: guy@xxxxxxxxxxxx
> Date: Fri, 10 Jun 2011 12:49:12 -0700
> To: wireshark-users@xxxxxxxxxxxxx
> Subject: Re: [Wireshark-users] Time Display issues opening traces
>
>
> On Jun 10, 2011, at 12:39 PM, Chris Alton wrote:
>
> > That method would work if I knew what timezone the trace was from but I get traces from all kinds of different Time Zones and I'd have to change that quite often.
> >
> > I'm also pretty sure that Wireshark didn't used to do this in the past but I may be remembering incorrectly.
>
> pcap and pcap-ng files store the time stamp as UTC (*not* as local time where the traffic was captured), and Wireshark converts and has always (dating back to before it was called Wireshark) converted it to local time.
>
> You would, therefore, have to change the time zone setting every time you look at a trace in a different time zone. pcap-ng, but not pcap, has the ability to record something indicating the time zone setting for a capture, but currently it's not well specified - it's currently specified as a 4-byte value with an unspecified meaning - and not supported.
>
> > I'm also kind of confused as to why changing the times in a network trace to the local timezone would actually be of any help in the first place. I seriously tried to think of a reason and was unable to come up with anything :)
>
> At least for pcap and pcap-ng captures - and for newer NetMon captures - it's not *changing* the time to the local time zone, it's displaying it *in* the local time zone, rather than as UTC; the alternative would be to display it as UTC, which, for most locations, would require you to, well, mentally compensate for the time zone difference.
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe