This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Special handling of an ‘FT_ABSOLUTE_TIME’ field

0

Hello guys,

There is a question about FT_ABSOLUTE_TIME you know, from the README.developer file, the FT_ABSOLUTE_TIME described as below:


An absolute time from some fixed point in time, displayed as the date, followed by the time, as hours, minutes, and seconds with 9 digits after the decimal point.


But I just want only the last 30 bits of the last four bytes used for the nsecs, the first 2 bits of the last four bytes used for other purposes. Any ideas?

Best Regards! Sam

asked 09 Oct '11, 07:42

Sam's gravatar image

Sam
517914
accept rate: 0%

edited 11 Oct '11, 14:29

multipleinterfaces's gravatar image

multipleinte...
1.3k152340

1

What is the precise format, and interpretation, of the time stamp you're dealing with? Is it 32 bits or 64 bits of seconds since some epoch (such as the UN*X epoch), 30 bits of nanoseconds, and 2 bits of other information?

(09 Oct '11, 14:32) Guy Harris ♦♦

Yes, it is 32bits for seconds, the following 2bit for other information, the last 30bits for nanoseconds.

(09 Oct '11, 18:09) Sam

The time stamp will be read from 8 bytes in nomal state, but now the first 2 bits of the fifth byte need to be defined for special purpose, such as an flag. so how to get the correct time from the rest 62bit? exactly, the first 32bits and the last 30bits of these 8 bytes is for time stamp. how do I get it?

(09 Oct '11, 23:01) Sam

One Answer:

3

(Note: questions are not guaranteed to be answered in N hours, for any value of N.)

What you need to do is to fetch the two 32-bit fields in the time stamp yourself, use them to fill in an nstime_t structure, and call proto_tree_add_time() to add it to the protocol tree. Put the first 32 bits - the seconds value - in the secs field of the nstime_t, extract the lower 30 bits of the second 32 bits (by ANDing with 0x3FFFFFFF) and put it into the nsecs field of the nstime_t, and do whatever is appropriate with the remaining 2 bits.

answered 10 Oct '11, 01:44

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thank you, Harris.

But I'm sorry, stiil have two questions:

1) How to fill them into an nstime_t structure?

2) How to fetch the two 32-bit fields in the TIME STAMP? tvb_get_ptr or tvb_get_bits32 or others?

Note: the TIME STAMP is not the original time stamp, it is just the eight bytes inserted between the payload and CRCs by other tool.

(10 Oct '11, 05:50) Sam
1

The answer to "how to fill them into an nstime_t structure?" is:

Put the first 32 bits - the seconds value - in the secs field of the nstime_t, extract the lower 30 bits of the second 32 bits (by ANDing with 0x3FFFFFFF) and put it into the nsecs field of the nstime_t, and do whatever is appropriate with the remaining 2 bits.

Seriously. You have two 32-bit quantities, and an nstime_t structure. If the nstime_t were named ts, and the two 32-bit quantities are first and second, do:

ts.secs = first;
ts.nsecs = (second & 0x3FFFFFFF);
(10 Oct '11, 10:58) Guy Harris ♦♦
1

As for fetching the fields, use tvb_get_ntohl() if they're in big-endian format, and use tvb_get_letohl() if they're in little-endian format.

(10 Oct '11, 10:59) Guy Harris ♦♦

It works fine. Thanks a lot for your patient help!! Harris.

BTW, I have another question. How to use these elements(ts.secs & ts.nsecs) fetched from the packet for some further analysis? such as do some time analysis like 'IO Graphs' in Wireshark statistics menu.

I am a beginner on wireshark code, who can give me a thought? thanks.

--Sam

(11 Oct '11, 04:04) Sam

Anyone can give me a hand on this? or you need more information?

(11 Oct '11, 17:40) Sam