tcpdump mailing list archives
Re: local timestamp recovery of .cap files
From: Guy Harris <guy () alum mit edu>
Date: Thu, 14 May 2009 18:48:52 -0700
On May 14, 2009, at 6:10 PM, Andrej van der Zee wrote:
Thanks a lot for your email. I wish .cap files stored some meta-information such as local timezone, IP address, etc.
pcap-NG: http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.htmlcan store a 4-byte "Time zone for GMT support" value of unspecified interpretation (probably a seconds-from-GMT offset), although, if the capture crosses a standard time/summer time boundary either at the location where it's captured or the location at which it's read, that's not sufficient. Unfortunately, there isn't a universal standard for specifying time zones - the Olson time zone names are a sort-of-standard, but not all OSes use them (many popular ones do, but the "most popular one", i.e. Windows, doesn't), and even for those that do some of them don't use the current names (Solaris is still living in the past there).
It can also store, on a per-interface basis, the IPv4, IPv6, and MAC or EUI addresses for the interface, as well as storing name-to-IPv4- address and name-to-IPv6 address mappings.
Of course, there is no *requirement* that any of that information be present, so you'd need to have the programs doing the capturing store the relevant information.
- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- local timestamp recovery of .cap files Andrej van der Zee (May 14)
- Re: local timestamp recovery of .cap files Guy Harris (May 14)
- Re: local timestamp recovery of .cap files Andrej van der Zee (May 14)
- Re: local timestamp recovery of .cap files Guy Harris (May 14)
- Re: local timestamp recovery of .cap files Jefferson Ogata (May 14)
- Re: local timestamp recovery of .cap files Guy Harris (May 14)
- Re: local timestamp recovery of .cap files Andrej van der Zee (May 14)
- Re: local timestamp recovery of .cap files Guy Harris (May 14)
- Re: local timestamp recovery of .cap files Jefferson Ogata (May 15)
- Re: local timestamp recovery of .cap files Guy Harris (May 15)
- Re: local timestamp recovery of .cap files rh (May 15)
- Re: local timestamp recovery of .cap files Jefferson Ogata (May 15)
- Re: local timestamp recovery of .cap files Andrej van der Zee (May 14)
- Re: local timestamp recovery of .cap files Guy Harris (May 14)