Re: local timestamp recovery of .cap files

[Guy Harris <guy () alum mit edu>]

On May 14, 2009, at 8:23 PM, Andrej van der Zee wrote:

> Hi,
>
> >        2) does, but "helpfully" converts the time to local time (in  
> > which
> > case, whoever decided to be "helpful" needs to be hit with said  
> > sock).
>
> I found that tcpdump with -tttt converts to local time, but tcpdump
> -tt report GMT.

By "'helpfully' converts the time to local time" I was referring to  
converting a UNIX seconds-since-the-Epoch/microseconds value to  
seconds-since-the-Epoch-but-adjusted-to-be-local-time/microseconds  
value and writing that to the capture file.  Converting a UNIX seconds- 
since-the-Epoch/microseconds value to local time and printing or  
displaying it, as tcpdump and Wireshark do, is OK; converting a UNIX  
seconds-since-the-Epoch/microseconds value to seconds-since-the-Epoch- 
but-adjusted-to-be-local-time/microseconds value and writing that to  
the capture file is a Very Very Very Very Very Bad Idea, because  
programs that read pcap files assume the time stamps have seconds- 
since-the-Epoch/microseconds time stamps, not seconds-since-the-Epoch- 
but-adjusted-to-be-local-time/microseconds values.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.