Re: local timestamp recovery of .cap files

[Guy Harris <guy () alum mit edu>]

On May 14, 2009, at 5:41 PM, Andrej van der Zee wrote:

> I am having a problem with the timestamps in .cap files. I receive
> .cap files captured on machines in a different timezone (GMT +1 or GMT
> +3). When I do a "tcpdump  -r  en0.cap -n -tttt" then the timestamps
> are corrected to my local timezone (GMT +8 or GMT +9). The problem is
> that I need the timezone correction for the capturing machines (GMT +1
> or GMT +3) and not of my local machine. I know I can do the timezone
> correction manually by using -tt instead of -tttt and add +1 or +3
> hours, but this is error-prone. Is there a way to calculate this kind
> of recovery of the timestamp automatically?

On at least some UN*Xes, you could set the TZ environment variable for  
the program reading the capture file to the appropriate value for the  
time zone on the capturing machine, e.g.

        TZ=Asia/Singapore tcpdump -r en0.cap -n -tttt

if

	1) your UN*X uses the Olson time zone database (Linux, *BSD, Solaris,  
and Mac OS X do, for example);

	2) it uses the new-style names for time zones (I think all of the  
above except Solaris do; for Solaris, the name might be something  
other than Asia/Singapore);

        3) your shell is a Bourne-compatible shell;

        4) the capture was done in Singapore.

If 1) isn't the case, you may be out of luck.

If 2) isn't the case, you'd have to determine the old-style name being  
used, and use that instead of Asia/Singapore.

If 3) isn't the case, you might have to do

        setenv TZ Asia/Singapore
        tcpdump -r en0.cap -n -tttt
	setenv TZ {what value it had before} or unsetenv TZ (if it wasn't set  
before)

If 4) isn't the case, you'd need to find out the right name for the  
zone file.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.