Ask Your Question
0

viewing a pcap that uses non UTC timestamps with a thiszone offset seems to ignore the offset

asked 2019-06-04 20:36:23 +0000

lysaghtn gravatar image

I have a pcap file that is using a local timestamp that is not based in UTC time but uses the thiszone variable in the header to declare the offset between UTC and the local time. When I open the file in wireshark, the local time is reported as UTC and then the local time calculation happens as usual e.g. the file says the time should be 4PM EDT but with a four hour offset in thiszone. wireshark says UTC is 4PM and EDT is 12PM.

When I changed the thiszone variable in the header, the UTC remained 4PM and EDT remained 12PM regardless of the value of thiszone.

I might be misunderstanding what the thiszone variable of the global header does but from what it says here it seems that thiszone should alow for a non UTC timestamp to be used.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-06-04 22:11:50 +0000

SYN-bit gravatar image

A quick scan of the source code of Wireshark raises the suspicion that the "thiszone" header variable is not used in time calculations. From the Wireshark wiki page it also states: In practice, time stamps are always in GMT, so thiszone is always 0. I guess that it why it has not been implemented.

What kind of program wrote this pcap file? I have never seen a pcap file where the packet times were not saved in UTC in the file. But if there are now programs on the market that do utilize the 'thiszone' variable, then maybe you should file an enhancement report on bugs.wireshark.org.

If it is a custom made program that generates the pcap with a thiszone offset. Then you might want to consider writing the timestamps in UTC instead. It seems other tools (I tried tcpdump) also ignore it's value. Better yet, start using pcapng as default pcap format.

edit flag offensive delete link more

Comments

Libpcap discards the "thiszone" value, dating back to libpcap 0.4 (i.e., a LONG time ago), so tcpdump doesn't know it or use it.

Again, I would STRONGLY recommend not using that field, and putting the time stamps in UTC.

Guy Harris gravatar imageGuy Harris ( 2019-06-05 01:41:27 +0000 )edit

Ah, I have changed the code on my side to UTC and everything is working now. thank you for the advice!

lysaghtn gravatar imagelysaghtn ( 2019-06-07 17:25:23 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2019-06-04 20:36:23 +0000

Seen: 312 times

Last updated: Jun 04 '19

Related questions

Delay in GOOSE Subscription

What is the syntax for wireshark custom column

Tshark output file problem, saving to csv or txt

How to convert Pcapng file to pcap file by Tshark

Can I create a capture filter on a pcap file

How can I extract parameters from pcap

How to figure out cookies from pcap files?

extract only payload parts of packets of pcap file

Is there a maximum file size for pcap-files?

How to use rawshark to analyse a pcap file which is generated by tcpdump?

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2