Re: local timestamp recovery of .cap files

[Jefferson Ogata <Jefferson.Ogata () noaa gov>]

On 2009-05-15 18:20, Guy Harris wrote:
> On May 15, 2009, at 12:43 AM, Jefferson Ogata wrote:
> > This has come up before, back when we were talking about the NG format.
> > I guess I got confused by the current context; if pcap files are
> > natively UTC (which I had thought they were until this thread arose,
> > seeming to suggest they weren't), great.
>
> They are.
>
> The issue in the thread is how to *display* the time stamps, especially 
> if you want to know what *local* time, at the point of capture, a packet 
> arrived, when you're reading it in a different time zone.  *That* 
> requires that some form of time zone information for the point of 
> capture be available, whether in the capture file or, for example, in an 
> email to which the capture file was attached.  So there's a use for time 
> zone information in a capture file even when the time stamps in the 
> capture file are in UTC.

It seemed to me as if he was trying to go the other way 'round. I don't 
have the original message any more so I can't say why I got that impression.

> > I configure all my systems in
> > UTC anyway, so I never have issues, and I wouldn't be able to tell
> > without tweaking $TZ.
> >
> > Frankly, I don't understand why anyone configures a UNIX-like system in
> > anything other than UTC. That's what $TZ is for.
>
> There are two ways I see in which "configure a UNIX-like system for a 
> particular time zone" could be read:
>
>     1) set the default time zone used by routines such as localtime() 
> and mktime() to convert UTC to local time;
>
>     2) set the time zone of the value returned by 
> time()/gettimeofday()/etc..

3) Set the time zone of the system to a local zone instead of UTC, e.g. 
by setting a global TZ value or copying an Olson zone file to 
/etc/localtime. This is what a lot of people do, and I don't see why.

Users who want their desktops to operate in a local zone can just set TZ 
for their environment.

One thing I hate having to deal with is syslog messages logged in a 
local time zone. There is no indication of zone in syslog messages. 
Furthermore, at DST end you can have syslog messages where it is 
impossible to determine the actual time something was logged. 
Correlating syslog messages from multiple systems is a royal PITA when 
people use local zones system-wide, and it's completely unnecessary to 
do so.

Anyway, this is off-topic. But as someone who has to correlate data from 
systems in 12 or so different time zones, it's something I care about.

--
Jefferson Ogata <Jefferson.Ogata () noaa gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov>
"Never try to retrieve anything from a bear."--National Park Service
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.