Re: [Ethereal-users] Timing on NAI sniffer captures

[Guy Harris <guy@xxxxxxxxxx>]

On Tue, Jun 04, 2002 at 10:22:52AM -0400, Chris_Klomp@xxxxxxxxxxxxxxxxxxx wrote:
> I just upgraded to version 0.9.4
> as well as WinPcap to 2.3

WinPcap makes no difference - it's used to capture packets natively, but
not to read capture files.

> But have still a 45 min. trace (i.s.o. 15 min.)

Note that

	1) there's more than one type of Sniffer file - the DOS-based
	   Sniffer software and the Windows-based Sniffer software use
	   completely different file formats;

	2) at least one person appears to have found that if they tried
	   to read, *with the Windows Sniffer software*, a (Windows)
	   Sniffer from one of their machines on at least one other
	   machine, the time stamps came out wrong.

2) suggests that the problem might be insoluble, unless the resolution
of the time stamps is stored in some field in the file or packet header
in the file (i.e., if even *Network Associates* can't guarantee that
Sniffer files can be read by anything other than Sniffer running on the
machine on which the capture was done, then, unless that's just because
the code *they* use to read the captures is buggy or inadequate, it's
not clear we can do much better).

It also suggests that, without knowing how the Sniffer figures out what
the time stamp resolution is for captures, we can't even necessarily get
the right time stamps when you run Ethereal on the *same* machine.