Re: Should the tcpdump tests be run with TZ=GMT0, or should the AFS printer print time stamps in UTC?

[Denis Ovsienko <denis () ovsienko info>]

 ---- On Mon, 06 Aug 2018 09:51:36 +0100 John Hawkinson <jhawk () MIT EDU> wrote ---- 
> Denis Ovsienko <denis () ovsienko info> wrote on Mon,  6 Aug 2018 
> at 09:42:16 +0100 in <1650e66b5ad.12b3ab99e15597.8336631397456496826 () ovsienko info>: 
>  
> > When a network protocol has a timestamp and defines it in UTC (which 
> > is often the case), to me it looks consistent if the host in the 
> > middle of the exchange (or completely out of the exchange, if that 
> > is a .pcap file) prints it in UTC as well. Such as, for example 
> > somebody in time zone A decoding NTP packets between hosts in time 
> > zones B and C --- why would the man in the middle need to translate 
> > the timestamps to any of those timezones when NTP encodes and 
> > operates UTC in the first place? 
>  
> I think most of the time people who look at the output of decoders are doing so from the perspective of one of the 
> two hosts, such as debugging application layer software. In such cases, the man in the middle perspective is really 
> a strawman. 

This is one of the popular use cases and I definitely have experience with it.

However, another experience of mine was such troubleshooting sessions that involved engineers and hosts spread across 
several time zones. As the network engineer I was effectively the man in the middle, having to analyze traffic that was 
forwarded rather than terminated, and one of the things you want to keep out of scope are local timezones. I 
acknowledge this is not the most popular use case, but for me it is a valid experience to consider.

> > The protocol terminating software would be more likely to need to 
> > translate UTC to a local timezone to verify or action it. Opposed to 
> > that, a protocol decoder just tells you what's on the wire. 
>  
> Under normal usage, tcpdump prints the local time at the beginning of the line. A person looking at timestamps on 
> the wire frequently wants to correlate those timestamps to the time of packet receipt. If they are in different 
> timezones, that can be more challenging (although not always, since often we only care about the minutes and 
> seconds). 

You have a point, but let me remind that the host that makes the capture may be badly off in terms of both clock 
(because NTP is broken) and time zone (because it was deployed with a wrong configuration or the daylight saving rules 
have changed), so the capture timestamps should be taken with a grain of salt.

Anyway, as I explained, I can live with either format so long as it is unambiguous.

-- 
    Denis Ovsienko


_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers