In some videos pertaining to Wireshark (see screenshot below), I have seen TTL values such as: 20 hours, 50 minutes, 25 seconds, but in the interface I cannot figure out how to get this format of display, it is always a single number representing seconds. Am I missing a setting somewhere?
Do those videos show Wireshark displaying the TTL in that fashion or do they just describe the raw numeric value in that fashion in, for example, slides shown in the video?
There's no setting in the shipping version of Wireshark to cause the TTL to be shown in that form, so you'd have to request a change to Wireshark to cause it to show them in that fashion; please file an enhancement request on the Wireshark Bugzilla.
It used to work this way; commit 42c52d86127263dcb84791f7213726964a3ef025 was checked in on 2013-10-18, and that changed the format.
It can be changed back without too much effort by changing the field type from FT_UINT32 to FT_RELATIVE_TIME and arranging that relative time values have both "signed" and "unsigned" versions of the various representations (DNS TTLs are unsigned, although any TTL value with the uppermost bit set is not guaranteed to be handled correctly by all recipients - RFC 1035 said "signed" in one place and "unsigned' in another, and RFC 2181 resolves the ambiguity by saying "unsigned, but limit values to 0 to 2^31-1).
There are fields for SOA and RRSIG that have the format you're looking for.
ti = proto_tree_add_item(rr_tree, hf_dns_rrsig_original_ttl, tvb, cur_offset, 4, ENC_BIG_ENDIAN); proto_item_append_text(ti, " (%s)", signed_time_secs_to_str(wmem_packet_scope(), tvb_get_ntohl(tvb, cur_offset)));
Also 
hf_dns_soa_refresh_interval, hf_dns_soa_retry_interval, hf_dns_soa_expire_limit, hf_dns_soa_minimum_ttl
Some time fields get a detailed breakdown after them, some don't. They should probably all be converted to FT_RELATIVE_TIME (or maybe we should have separate signed and unsigned versions of that type), which will automatically put the detailed breakdown into the field.
Just open a bug with a title such as "DNS time to live field should be displayed as days/hours/minutes/seconds" and giving a more detailed statement of the same thing as the text; note that older versions did show them as such.
Asked: 2019-12-07 16:57:43 +0000
Seen: 10,465 times
Last updated: Dec 08 '19
Can you post a link to one of the videos showing this?
@bubbasnmp added screenshot of Chappell video segment showing the DNS ttl.