Re: local timestamp recovery of .cap files

[rh <rh.forums () verizon net>]

On Fri, May 15, 2009 at 2:20 PM, Guy Harris <guy () alum mit edu> wrote:

> On May 15, 2009, at 12:43 AM, Jefferson Ogata wrote:
>
>  This has come up before, back when we were talking about the NG format.
> > I guess I got confused by the current context; if pcap files are
> > natively UTC (which I had thought they were until this thread arose,
> > seeming to suggest they weren't), great.
>
> They are.
>
> The issue in the thread is how to *display* the time stamps, especially if
> you want to know what *local* time, at the point of capture, a packet
> arrived, when you're reading it in a different time zone.  *That* requires
> that some form of time zone information for the point of capture be
> available, whether in the capture file or, for example, in an email to which
> the capture file was attached.  So there's a use for time zone information
> in a capture file even when the time stamps in the capture file are in UTC.


For what it's worth, I've adopted, and used for several years now, the
convention of putting the timezone in the name of capture file itself (e.g.,
blah_blah_1530_EDT.pcap) since capture files I create are used by analysts
that might be anywhere.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.