My Lua dissector needs to handle an 8-byte timestamp field that contains an integer representing nanoseconds since epoch. This is what I have so far...
ProtoField.absolute_time("myheader.timestamp", "Timestamp", base.UTC)
A date-time is printed in the dissector, but it's not correct. How can I get it to correctly calculate the date-time?
See this first link for code to convert timestamps. Explanation below.
Convert us-timestamp to absolute_time
lua dissector absolute time
When you create the ProtoField ProtoField.absolute_time you don't get to specify the time format/encoding.
It is created as ENC_TIME_SECS_NSECS (wireshark
doc
README.dissector):
ENC_TIME_SECS_NSECS - 8, 12, or 16 bytes. For 8 bytes, the first 4 bytes are seconds and the next 4 bytes are nanoseconds; for 12 bytes, the first 8 bytes are seconds and the next 4 bytes are nanoseconds; for 16 bytes, the first 8 bytes are seconds and the next 8 bytes are nanoseconds. The seconds are seconds since the UN*X epoch (1970-01-01 00:00:00 UTC). (I.e., a UN*X struct timespec with a 4-byte or 8-byte time_t or a structure with an 8-byte time_t and an 8-byte nanoseconds field.)
There is an example in wiki: A pcap FileShark script:
timestamp = ProtoField.new ("Timestamp", "pcapfile.timestamp", ftypes.ABSOLUTE_TIME),
time_secs = ProtoField.uint32 ("pcapfile.time.secs", "Time Seconds", base.DEC,
nil, 0, "Timestamp seconds portion"),
time_nsecs= ProtoField.uint32 ("pcapfile.time.nsecs", "Time Nanoseconds", base.DEC,
nil, 0, "Timestamp nanoseconds portion"),
...
local subtree = add(tree, pcap_fields.rechdr.timestamp, tvbuf:range(0,8))
add(subtree, pcap_fields.rechdr.time_secs, tvbuf:range(0,4))
add(subtree, pcap_fields.rechdr.time_nsecs,tvbuf:range(4,4))
Which produces this for timestamp 0000 f9 42 dd 51 41 3e 0c 00
Timestamp: Jul 10, 2013 06:18:17.000802369 Central Daylight Time
Time Seconds: 1373455097
Time Nanoseconds: 802369
Asked: 2024-05-03 13:49:22 +0000
Seen: 703 times
Last updated: May 03
