1 | initial version |
See this first link for code to convert timestamps. Explanation below.
Convert us-timestamp to absolute_time
lua dissector absolute time
When you create the ProtoField ProtoField.absolute_time
you don't get to specify the time format/encoding.
It is created as ENC_TIME_SECS_NSECS
(wireshark
doc
README.dissector):
ENC_TIME_SECS_NSECS - 8, 12, or 16 bytes. For 8 bytes, the first 4 bytes are seconds and the next 4 bytes are nanoseconds; for 12 bytes, the first 8 bytes are seconds and the next 4 bytes are nanoseconds; for 16 bytes, the first 8 bytes are seconds and the next 8 bytes are nanoseconds. The seconds are seconds since the UN*X epoch (1970-01-01 00:00:00 UTC). (I.e., a UN*X struct timespec with a 4-byte or 8-byte time_t or a structure with an 8-byte time_t and an 8-byte nanoseconds field.)
There is an example in wiki: A pcap FileShark script:
timestamp = ProtoField.new ("Timestamp", "pcapfile.timestamp", ftypes.ABSOLUTE_TIME), time_secs = ProtoField.uint32 ("pcapfile.time.secs", "Time Seconds", base.DEC, nil, 0, "Timestamp seconds portion"), time_nsecs= ProtoField.uint32 ("pcapfile.time.nsecs", "Time Nanoseconds", base.DEC, nil, 0, "Timestamp nanoseconds portion"),
Which produces this for timestamp 0000 f9 42 dd 51 41 3e 0c 00
Timestamp: Jul 10, 2013 06:18:17.000802369 Central Daylight Time Time Seconds: 1373455097 Time Nanoseconds: 802369
2 | No.2 Revision |
See this first link for code to convert timestamps. Explanation below.
Convert us-timestamp to absolute_time
lua dissector absolute time
When you create the ProtoField ProtoField.absolute_time
you don't get to specify the time format/encoding.
It is created as ENC_TIME_SECS_NSECS
(wireshark
doc
README.dissector):
ENC_TIME_SECS_NSECS - 8, 12, or 16 bytes. For 8 bytes, the first 4 bytes are seconds and the next 4 bytes are nanoseconds; for 12 bytes, the first 8 bytes are seconds and the next 4 bytes are nanoseconds; for 16 bytes, the first 8 bytes are seconds and the next 8 bytes are nanoseconds. The seconds are seconds since the UN*X epoch (1970-01-01 00:00:00 UTC). (I.e., a UN*X struct timespec with a 4-byte or 8-byte time_t or a structure with an 8-byte time_t and an 8-byte nanoseconds field.)
There is an example in wiki: A pcap FileShark script:
timestamp = ProtoField.new ("Timestamp", "pcapfile.timestamp", ftypes.ABSOLUTE_TIME),time_secs = ProtoField.uint32 ("pcapfile.time.secs", "Time Seconds", base.DEC, nil, 0, "Timestamp seconds portion"),time_nsecs= ProtoField.uint32 ("pcapfile.time.nsecs", "Time Nanoseconds", base.DEC, nil, 0, "Timestamp nanoseconds portion"),
Which produces this for timestamp 0000 f9 42 dd 51 41 3e 0c 00
Timestamp: Jul 10, 2013 06:18:17.000802369 Central Daylight Time Time Seconds: 1373455097 Time Nanoseconds: 802369
3 | No.3 Revision |
See this first link for code to convert timestamps. Explanation below.
Convert us-timestamp to absolute_time
lua dissector absolute time
When you create the ProtoField ProtoField.absolute_time
you don't get to specify the time format/encoding.
It is created as ENC_TIME_SECS_NSECS
(wireshark
doc
README.dissector):
ENC_TIME_SECS_NSECS - 8, 12, or 16 bytes. For 8 bytes, the first 4 bytes are seconds and the next 4 bytes are nanoseconds; for 12 bytes, the first 8 bytes are seconds and the next 4 bytes are nanoseconds; for 16 bytes, the first 8 bytes are seconds and the next 8 bytes are nanoseconds. The seconds are seconds since the UN*X epoch (1970-01-01 00:00:00 UTC). (I.e., a UN*X struct timespec with a 4-byte or 8-byte time_t or a structure with an 8-byte time_t and an 8-byte nanoseconds field.)
There is an example in wiki: A pcap FileShark script:
timestamp = ProtoField.new ("Timestamp", "pcapfile.timestamp", ftypes.ABSOLUTE_TIME), time_secs = ProtoField.uint32 ("pcapfile.time.secs", "Time Seconds", base.DEC, nil, 0, "Timestamp seconds portion"), time_nsecs= ProtoField.uint32 ("pcapfile.time.nsecs", "Time Nanoseconds", base.DEC, nil, 0, "Timestamp nanoseconds portion"), ... local subtree = add(tree, pcap_fields.rechdr.timestamp, tvbuf:range(0,8)) add(subtree, pcap_fields.rechdr.time_secs, tvbuf:range(0,4)) add(subtree, pcap_fields.rechdr.time_nsecs,tvbuf:range(4,4))
Which produces this for timestamp 0000 f9 42 dd 51 41 3e 0c 00
Timestamp: Jul 10, 2013 06:18:17.000802369 Central Daylight Time Time Seconds: 1373455097 Time Nanoseconds: 802369