I have been tasked with adding a feature to our TCP/IP monitor product, which runs under z/OS on IBM mainframes, that will allow a user create a PCAPng file from packet trace data provided by the TCP/IP stack being monitored. The product also allows the user to create a PCAPng file from an existing z/OS packet trace file. The feature works quite well, but I have recently discovered that something is amiss with the timestamp in the EPB.
The time stamp is a 64-but unsigned binary number taken from the z/architecture TOD clock (sometimes called the STCK time). In Wireshark, if I choose one of the "Seconds since" time formats, the time displayed looks reasonable. However, if I choose a date and time of day format, the time field is blank. I am using Wireshark Version 2.6.2 (v2.6.2-0-g1b3cedbc).
I'm confident that the timestamp field is being correctly populated with the timestamp from the packet trace header, suggesting that Wireshark is expecting something different from what I am giving it. I need to know what Wireshark expects to see. Can anyone help?
