Re: timezone question

[Guy Harris <guy () alum mit edu>]

On Dec 19, 2003, at 1:02 AM, Gisle Vanem wrote:

> "alex medvedev" <alexm () pycckue org> said:
>
> > suppose i create a tcpdump at 9 am in moscow, russia (+3hrs east from
> > GMT);
> > then i read it on a machine in dallas, tx (-6hrs west from GMT).
> >
> > what time stamps should i see on packets?
> > 9am or 6pm?
>
> Normally if you don't use any time-options in tcpdump, you'll
> see 9am. Since AFAIK libpcap stores the timestamp unchanged
> in whatever timezone the OS passes the frame to libpcap.

They're stored in standard UNIX "struct timeval" format, with seconds 
since January 1, 1970, 00:00:00 GMT, and microseconds, so they're 
stored in a close approximation of UTC.

As such, I'd expect the time stamps to display as 6PM if read in Dallas 
(unless you change the time zone setting for the process reading them, 
e.g. "TZ=Europe/Moscow tcpdump -r {filename}" with a Bourne-compatible 
shell on many UNIXes).

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe