Re: local timestamp recovery of .cap files

[Guy Harris <guy () alum mit edu>]

On May 14, 2009, at 6:10 PM, Andrej van der Zee wrote:

> Thanks a lot for your email. I wish .cap files stored some
> meta-information such as local timezone, IP address, etc.

pcap-NG:

        http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html

can store a 4-byte "Time zone for GMT support" value of unspecified  
interpretation (probably a seconds-from-GMT offset), although, if the  
capture crosses a standard time/summer time boundary either at the  
location where it's captured or the location at which it's read,  
that's not sufficient.  Unfortunately, there isn't a universal  
standard for specifying time zones - the Olson time zone names are a  
sort-of-standard, but not all OSes use them (many popular ones do, but  
the "most popular one", i.e. Windows, doesn't), and even for those  
that do some of them don't use the current names (Solaris is still  
living in the past there).

It can also store, on a per-interface basis, the IPv4, IPv6, and MAC  
or EUI addresses for the interface, as well as storing name-to-IPv4- 
address and name-to-IPv6 address mappings.

Of course, there is no *requirement* that any of that information be  
present, so you'd need to have the programs doing the capturing store  
the relevant information.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.