 | 1 | initial version |
A quick scan of the source code of Wireshark raises the suspicion that the "thiszone" header variable is not used in time calculations. From the Wireshark wiki page it also states: In practice, time stamps are always in GMT, so thiszone is always 0. I guess that it why it has not been implemented.
What kind of program wrote this pcap file? I have never seen a pcap file where the packet times were not saved in UTC in the file. But if there are now programs on the market that do utilize the 'thiszone' variable, then maybe you should file an enhancement report on bugs.wireshark.org.
If it is a custom made program that generates the pcap with a thiszone offset. Then you might want to consider writing the timestamps in UTC instead. It seems other tools (I tried tcpdump) also ignore it's value. Better yet, start using pcapng as default pcap format.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
