Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2024-05-03 17:35:28 +0000

Chuckc gravatar image

See this first link for code to convert timestamps. Explanation below.
Convert us-timestamp to absolute_time
lua dissector absolute time

When you create the ProtoField ProtoField.absolute_time you don't get to specify the time format/encoding.
It is created as ENC_TIME_SECS_NSECS (wireshark doc README.dissector):

ENC_TIME_SECS_NSECS - 8, 12, or 16 bytes. For 8 bytes, the first 4
    bytes are seconds and the next 4 bytes are nanoseconds; for 12
    bytes, the first 8 bytes are seconds and the next 4 bytes are
    nanoseconds; for 16 bytes, the first 8 bytes are seconds and
    the next 8 bytes are nanoseconds. The seconds are seconds
    since the UN*X epoch (1970-01-01 00:00:00 UTC). (I.e., a UN*X
    struct timespec with a 4-byte or 8-byte time_t or a structure
    with an 8-byte time_t and an 8-byte nanoseconds field.)


There is an example in wiki: A pcap FileShark script:

        timestamp = ProtoField.new    ("Timestamp", "pcapfile.timestamp", ftypes.ABSOLUTE_TIME),
        time_secs = ProtoField.uint32 ("pcapfile.time.secs", "Time Seconds", base.DEC,
                                       nil, 0, "Timestamp seconds portion"),
        time_nsecs= ProtoField.uint32 ("pcapfile.time.nsecs", "Time Nanoseconds", base.DEC,
                                       nil, 0, "Timestamp nanoseconds portion"),

Which produces this for timestamp 0000 f9 42 dd 51 41 3e 0c 00

Timestamp: Jul 10, 2013 06:18:17.000802369 Central Daylight Time
    Time Seconds: 1373455097
    Time Nanoseconds: 802369

See this first link for code to convert timestamps. Explanation below.
Convert us-timestamp to absolute_time
lua dissector absolute time

When you create the ProtoField ProtoField.absolute_time you don't get to specify the time format/encoding.
It is created as ENC_TIME_SECS_NSECS (wireshark doc README.dissector):

ENC_TIME_SECS_NSECS - 8, 12, or 16 bytes. For 8 bytes, the first 4
    bytes are seconds and the next 4 bytes are nanoseconds; for 12
    bytes, the first 8 bytes are seconds and the next 4 bytes are
    nanoseconds; for 16 bytes, the first 8 bytes are seconds and
    the next 8 bytes are nanoseconds. The seconds are seconds
    since the UN*X epoch (1970-01-01 00:00:00 UTC). (I.e., a UN*X
    struct timespec with a 4-byte or 8-byte time_t or a structure
    with an 8-byte time_t and an 8-byte nanoseconds field.)


There is an example in wiki: A pcap FileShark script:

 timestamp = ProtoField.new    ("Timestamp", "pcapfile.timestamp", ftypes.ABSOLUTE_TIME),
 time_secs = ProtoField.uint32 ("pcapfile.time.secs", "Time Seconds", base.DEC,
                                       nil, 0, "Timestamp seconds portion"),
 time_nsecs= ProtoField.uint32 ("pcapfile.time.nsecs", "Time Nanoseconds", base.DEC,
                                       nil, 0, "Timestamp nanoseconds portion"),

Which produces this for timestamp 0000 f9 42 dd 51 41 3e 0c 00

Timestamp: Jul 10, 2013 06:18:17.000802369 Central Daylight Time
    Time Seconds: 1373455097
    Time Nanoseconds: 802369

See this first link for code to convert timestamps. Explanation below.
Convert us-timestamp to absolute_time
lua dissector absolute time

When you create the ProtoField ProtoField.absolute_time you don't get to specify the time format/encoding.
It is created as ENC_TIME_SECS_NSECS (wireshark doc README.dissector):

ENC_TIME_SECS_NSECS - 8, 12, or 16 bytes. For 8 bytes, the first 4
    bytes are seconds and the next 4 bytes are nanoseconds; for 12
    bytes, the first 8 bytes are seconds and the next 4 bytes are
    nanoseconds; for 16 bytes, the first 8 bytes are seconds and
    the next 8 bytes are nanoseconds. The seconds are seconds
    since the UN*X epoch (1970-01-01 00:00:00 UTC). (I.e., a UN*X
    struct timespec with a 4-byte or 8-byte time_t or a structure
    with an 8-byte time_t and an 8-byte nanoseconds field.)


There is an example in wiki: A pcap FileShark script:

timestamp = ProtoField.new    ("Timestamp", "pcapfile.timestamp", ftypes.ABSOLUTE_TIME),
time_secs = ProtoField.uint32 ("pcapfile.time.secs", "Time Seconds", base.DEC,
                                       nil, 0, "Timestamp seconds portion"),
time_nsecs= ProtoField.uint32 ("pcapfile.time.nsecs", "Time Nanoseconds", base.DEC,
                                       nil, 0, "Timestamp nanoseconds portion"),
...
    local subtree = add(tree, pcap_fields.rechdr.timestamp, tvbuf:range(0,8))
    add(subtree, pcap_fields.rechdr.time_secs, tvbuf:range(0,4))
    add(subtree, pcap_fields.rechdr.time_nsecs,tvbuf:range(4,4))

Which produces this for timestamp 0000 f9 42 dd 51 41 3e 0c 00

Timestamp: Jul 10, 2013 06:18:17.000802369 Central Daylight Time
    Time Seconds: 1373455097
    Time Nanoseconds: 802369