Wireshark mailing list archives
Re: frame_data.abs_ts and pcap timestamp reference
From: Guy Harris <guy () alum mit edu>
Date: Wed, 9 Dec 2009 09:47:28 -0800
On Dec 9, 2009, at 6:32 AM, RUOFF LARS wrote:
Is frame_data.abs_ts /* Absolute timestamp */ given in UTC or local time?
UTC.
Can someone give me a hint on where to search for the code that does the conversion before display (if any)?
abs_time_to_str(), etc. in epan/to_str.c.
Do pcap files store timestamps in UTC or local time?
UTC. See, for example, the pcap-savefile man page in libpcap 1.0.0 and later, or http://wiki.wireshark.org/Development/LibpcapFileFormat
If UTC, do they store the time zone?
In theory, yes. In practice, no. There is a time zone offset field in the file header, but no application (tcpdump, *thereal/*shark, etc.) has ever set it to anything other than 0, as far as I know (I know that libpcap, which is what most applications use to write the files, sets it to 0). ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- frame_data.abs_ts and pcap timestamp reference RUOFF LARS (Dec 09)
- Re: frame_data.abs_ts and pcap timestamp reference Guy Harris (Dec 09)