Ask Your Question
0

lua dissector absolute time

asked 2020-09-06 06:14:52 +0000

BMWE gravatar image

Hello,

I've trying to parse 8 byte field with f.time = ProtoField.absolute_time("X.TimeStamp","TimeStamp", base.UTC). Calling the field with subtree:add(f.time, buffer(0,8)) I'm getting year 2005 instead of 2020.

Any suggestion what I'm doing wrong?

edit retag flag offensive close merge delete

Comments

In what fashion is the time encoded in that 8-byte field? 4-byte seconds since January 1, 1970, 00:00:00 UTC, followed by 4-byte microseconds, both big-endian? 4-byte seconds since January 1, 1970, 00:00:00 UTC, followed by 4-byte microseconds, both little-endian? 4-byte seconds since January 1, 1970, 00:00:00 UTC, followed by 4-byte nanoseconds, both big-endian? 4-byte seconds since January 1, 1970, 00:00:00 UTC, followed by 4-byte nanoseconds, both little-endian? Or something else?

Guy Harris gravatar imageGuy Harris ( 2020-09-06 07:46:34 +0000 )edit

UTC since 1/1/1970, IEEE double precision floating point. Intel format. 8 Bytes field

BMWE gravatar imageBMWE ( 2020-09-06 07:54:12 +0000 )edit

So which, if any, of the encodings listed at https://gitlab.com/wireshark/wireshar... is applicable?

And by Intel format., I take it that you mean Little-Endian format then? Assuming so, at the very least you should use subtree:add_le(f.time, buffer(0,8)).

Ref: 11.7.2.1. treeitem:add_le([protofield], [tvbrange], [value], [label])
https://www.wireshark.org/docs/wsdg_h...

cmaynard gravatar imagecmaynard ( 2020-09-06 15:29:16 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-09-06 19:34:34 +0000

Guy Harris gravatar image

updated 2020-09-06 19:36:04 +0000

UTC since 1/1/1970, IEEE double precision floating point. Intel format

So that's a little-endian floating-point not-necessarily-integral number of seconds since the UN*X Epoch?

If so, then the answer to

So which, if any, of the encodings listed at https://gitlab.com/wireshark/wireshar... is applicable?

is "none".

You will need to fetch the floating-point value directly into a numerical value, calculate the integral part (seconds) and fractional part (as nanoseconds), construct a new NSTime from those two values, and add that to the protocol tree using subtree:add(f.time, buffer(0,8), {that value}).

edit flag offensive delete link more

Comments

I don't need to use the add_le. How do I know? defining f.time = ProtoField.double(...) provides me the same number as in Frame's Epoch Time.

Now, when I'm using

local usecs = buffer(0,8):uint64()
local secs  = (usecs / 1000000):tonumber()
local nsecs = (usecs % 1000000):tonumber() * 1000
subtree:add(pl_timestamp, buffer(0,8), NSTime.new(secs, nsecs))

and getting TimeStamp: Not represantable

BMWE gravatar imageBMWE ( 2020-09-07 06:39:33 +0000 )edit

Try (note I'm not a Lua programmer and I haven't run this):

local time = buffer(0,8):le_float()
local secs = math.floor(time)
local nsecs = math.fmod(time, 1) * 1e9
...
grahamb gravatar imagegrahamb ( 2020-09-07 07:48:14 +0000 )edit

It is working :)

Thanks!

BMWE gravatar imageBMWE ( 2020-09-07 07:51:32 +0000 )edit

@BMWE Normally we don't close questions, simply accept the correct answer by clicking the checkmark next to it, although that's a little complicated as @Guy Harris has described the method and I've described an implementation.

grahamb gravatar imagegrahamb ( 2020-09-07 08:09:43 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2020-09-06 06:14:52 +0000

Seen: 1,804 times

Last updated: Sep 06 '20