Ethereal: Re: [Ethereal-users] Absolute time information in capture files?

Ethereal-users: May 2004

Subject: Re: [Ethereal-users] Absolute time information in capture files?
From: "Guy Harris" <gharris@xxxxxxxxx>
Date: Fri, 7 May 2004 12:27:23 -0700 (PDT)

Lars Ruoff said:
> - Is there any absolute time information saved with libcap capture files?
> (so as to know when the capture took place in UTC)

Yes.  In fact, that's the *only* time information stored in capture files,
if by "when the capture took place" you mean "when the packet arrived". 
(There's no capture start time in libpcap files.)

> - If so, how to show that information?
> I tried changing a column to "Absolute Time" with the Preferences->User
> Interface->Columns dialog, but that didnt change anything. :(

Well, on a UN*X system, you'd run Ethereal with the TZ environment
variable set to "GMT0", which, I think, would do it.  On Windows, that's a
bit harder.

We could perhaps add such a display format - we'd use "gmtime()" rather
than "localtime()" in that case.

> - If not, which capture file formats do have that information and can
> Ethereal exploit them?

Note that some other formats *don't* have that information - they just
have local time information; for those files, the display format in
question wouldn't work unless you read the file in the same time zone.

References:
- [Ethereal-users] Absolute time information in capture files?
  - From: Lars Ruoff

Prev by Date: [Ethereal-users] Error: "Ethereal has generated errors and will be closed by Windows"
Next by Date: Re: [Ethereal-users] Ethereal capturing problems
Previous by thread: Re: [Ethereal-users] Absolute time information in capture files?
Next by thread: [Ethereal-users] Error: "Ethereal has generated errors and will be closed by Windows"
Index(es):
- Date
- Thread