Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2018-07-27 14:30:37 +0000

mrEEde gravatar image

The TOD Clock from the CTRACE entry you provided
D4AE1DB7DB099844 is 07/25/2018 11:56:47.783065 UTC which is 1532519807.783065000 epoch.
These timestamps have a microsecond granularity I was crafting a pcapng file by using editcap -t to see what the internal representation looked like in a windows generated - little endian - pcapng . image description

Here is the resulting pcapng in hex with a timestamp(hi/lo) of D17105009910C192 at +144 at a time resolution of 10^-6 

0000000: 0a0d 0d0a bc00 0000 4d3c 2b1a 0100 0000  ........M<+.....
0000010: ffff ffff ffff ffff 0200 3d00 2020 2020  ..........=.    
0000020: 2020 2049 6e74 656c 2852 2920 436f 7265     Intel(R) Core
0000030: 2854 4d29 2069 332d 3332 3137 5520 4350  (TM) i3-3217U CP
0000040: 5520 4020 312e 3830 4748 7a20 2877 6974  U @ 1.80GHz (wit
0000050: 6820 5353 4534 2e32 2900 0000 0300 1e00  h SSE4.2).......
0000060: 3634 2d62 6974 2057 696e 646f 7773 2031  64-bit Windows 1
0000070: 302c 2062 7569 6c64 2031 3530 3633 0000  0, build 15063..
0000080: 0400 3000 4475 6d70 6361 7020 2857 6972  ..0.Dumpcap (Wir
0000090: 6573 6861 726b 2920 322e 342e 3020 2876  eshark) 2.4.0 (v
00000a0: 322e 342e 302d 302d 6739 6265 3066 6135  2.4.0-0-g9be0fa5
00000b0: 3030 6429 0000 0000 bc00 0000 0100 0000  00d)............
00000c0: 7c00 0000 0100 0000 ffff 0000 0200 3200  |.............2.
00000d0: 5c44 6576 6963 655c 4e50 465f 7b31 3134  \Device\NPF_{114
00000e0: 3833 3434 382d 3436 4445 2d34 4344 352d  83448-46DE-4CD5-
00000f0: 3837 3343 2d42 3731 3446 4638 3946 3335  873C-B714FF89F35
0000100: 377d 0000 0900 0100 0600 0000 0c00 1e00  7}..............
0000110: 3634 2d62 6974 2057 696e 646f 7773 2031  64-bit Windows 1
0000120: 302c 2062 7569 6c64 2031 3530 3633 0000  0, build 15063..
0000130: 0000 0000 7c00 0000 0600 0000 5800 0000  ....|.......X...
0000140: 0000 0000 d171 0500 9910 c192 3600 0000  .....q......6...
0000150: 3600 0000 6036 dd98 9414 001d aa5c 0f60  6...`6.......\.`
0000160: 0800 4500 0028 1269 0000 fe06 270a c0a8  ..E..(.i....'...
0000170: 0101 c0a8 010b 0050 c65e e1cc a541 b6f7  .......P.^...A..
0000180: 598c 5010 6400 6a36 0000 0000 5800 0000  Y.P.d.j6....X...

The TOD Clock from the CTRACE entry you provided
D4AE1DB7DB099844 is 07/25/2018 11:56:47.783065 UTC which is 1532519807.783065000 epoch.
These timestamps have a microsecond granularity I was crafting a pcapng file by using editcap -t to see what the internal representation looked like in a windows generated - little endian - pcapng . image description

Here is the resulting pcapng in hex with a timestamp(hi/lo) of D17105009910C192 at +144 at a time resolution of 10^-6 

0000000: 0a0d 0d0a bc00 0000 4d3c 2b1a 0100 0000  ........M<+.....
0000010: ffff ffff ffff ffff 0200 3d00 2020 2020  ..........=.    
0000020: 2020 2049 6e74 656c 2852 2920 436f 7265     Intel(R) Core
0000030: 2854 4d29 2069 332d 3332 3137 5520 4350  (TM) i3-3217U CP
0000040: 5520 4020 312e 3830 4748 7a20 2877 6974  U @ 1.80GHz (wit
0000050: 6820 5353 4534 2e32 2900 0000 0300 1e00  h SSE4.2).......
0000060: 3634 2d62 6974 2057 696e 646f 7773 2031  64-bit Windows 1
0000070: 302c 2062 7569 6c64 2031 3530 3633 0000  0, build 15063..
0000080: 0400 3000 4475 6d70 6361 7020 2857 6972  ..0.Dumpcap (Wir
0000090: 6573 6861 726b 2920 322e 342e 3020 2876  eshark) 2.4.0 (v
00000a0: 322e 342e 302d 302d 6739 6265 3066 6135  2.4.0-0-g9be0fa5
00000b0: 3030 6429 0000 0000 bc00 0000 0100 0000  00d)............
00000c0: 7c00 0000 0100 0000 ffff 0000 0200 3200  |.............2.
00000d0: 5c44 6576 6963 655c 4e50 465f 7b31 3134  \Device\NPF_{114
00000e0: 3833 3434 382d 3436 4445 2d34 4344 352d  83448-46DE-4CD5-
00000f0: 3837 3343 2d42 3731 3446 4638 3946 3335  873C-B714FF89F35
0000100: 377d 0000 0900 0100 0600 0000 0c00 1e00  7}..............
0000110: 3634 2d62 6974 2057 696e 646f 7773 2031  64-bit Windows 1
0000120: 302c 2062 7569 6c64 2031 3530 3633 0000  0, build 15063..
0000130: 0000 0000 7c00 0000 0600 0000 5800 0000  ....|.......X...
0000140: 0000 0000 d171 0500 9910 c192 3600 0000  .....q......6...
0000150: 3600 0000 6036 dd98 9414 001d aa5c 0f60  6...`6.......\.`
0000160: 0800 4500 0028 1269 0000 fe06 270a c0a8  ..E..(.i....'...
0000170: 0101 c0a8 010b 0050 c65e e1cc a541 b6f7  .......P.^...A..
0000180: 598c 5010 6400 6a36 0000 0000 5800 0000  Y.P.d.j6....X...

I created new files with a tiemstamp 1 microsecond apart. 
d171 0500 9910 c192 
d171 0500 9a10 c192
d171 0500 9b10 c192
d171 0500 9c10 c192
d171 0500 9d10 c192
65536 microseconds apart 
d171 0500 9910 c292

That revealed that the timestamp is in little endian notation,

So to get the correct timestamp into wireshark use epochtime*1000000+epochtime_fractions 0571d192c11099 and convert it to little endian d171 0500 9910 c192
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2