Re: changing the time

[Martin Mathieson <martin.r.mathieson () googlemail com>]

I don't know if overriding the time is a good idea - but I'm not sure what
would go wrong.

You can add any field as a column by right-clicking on the field and
choosing 'Apply as Column'.  I do this with the log files my company uses -
we have a timestamp field in our file format that ends up being dissected
(see hf_catapult_dct2000_timestamp in packet-catapult-dct2000.c).

I find it tedious to try to analyse a file that is not in the correct order
though, and it can interfere with sequence analysis that dissectors can do.
 If it is easy to find/parse the timestamp, I would consider writing a
console wiretap program, based upon reordercap, that would:
- read the frames in, but overwriting the timestamp with a value derived
from the timestamp parsed from your frames
- sort the frames by this timestamp
- write sorted frames to an output file

Of course, I don't really know what you are doing, and whether seeing the
original capture time is also useful....

Martin

On Thu, Jan 31, 2013 at 5:42 AM, Natalie Shapira <nd1234 () gmail com> wrote:

> Thanks.
>
> Eventually I override
> pinfo->fd->rel_ts
> pinfo->fd->del_dis_ts
>
> It looks good.
>
> If I would have problems again, I will create separate column.
> BTW, can you think about dissector who did it (adding column)? so I could
> use it as an example..
> Natalie.
>
>
> On Wed, Jan 30, 2013 at 2:44 PM, Evan Huus <eapache () gmail com> wrote:
>
> > You can add the new timestamp as a regular dissected field. Wireshark
> > allows you to create columns out of arbitrary fields in dissected
> > packets.
> >
> > Cheers,
> > Evan
> >
> > On Wed, Jan 30, 2013 at 4:51 AM, Natalie Shapira <nd1234 () gmail com>
> > wrote:
> > > Anyway, you gave me other idea. What about making new column of
> > my_timestamp
> > > and sort by that column... Do I have the ability to add a new column
> > from a
> > > dissector?
> > >
> > > On Wed, Jan 30, 2013 at 11:46 AM, Natalie Shapira <nd1234 () gmail com>
> > wrote:
> > > > I have no choice. It's a workaround for a hardware bug.
> > > >
> > > > On Wed, Jan 30, 2013 at 11:05 AM, Anders Broman
> > > > <anders.broman () ericsson com> wrote:
> > > > > Hi,
> > > > > Those are the timestamps of packet arrival there should be no need to
> > > > > change them from a dissector - sounds like a bad idea to me.
> > > > > Regards
> > > > > Anders
> > > > >
> > > > > ________________________________
> > > > > From: wireshark-dev-bounces () wireshark org
> > > > > [mailto:wireshark-dev-bounces () wireshark org] On Behalf Of Natalie
> > Shapira
> > > > > Sent: den 30 januari 2013 09:16
> > > > > To: wireshark-dev () wireshark org
> > > > > Subject: [Wireshark-dev] changing the time
> > > > >
> > > > >
> > > > > Hi everybody,
> > > > >
> > > > > It's my first question so, nice to meet you!
> > > > >
> > > > > I'm writing new dissector (plugin).
> > > > > I want to change the time of the packet.
> > > > > I tried to change pinfo->fd->rel_ts.secs and pinfo->fd->rel_ts.nsecs.
> > It
> > > > > looks like I did it BUT, after sorting, not all packets are in the
> > exact
> > > > > place.
> > > > >
> > > > > Do you have an example, idea or any recommendation?
> > > > >
> > > > > Thanks,
> > > > > Natalie.
> > ___________________________________________________________________________
> > > > > Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> > > > > Archives:    http://www.wireshark.org/lists/wireshark-dev
> > > > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> > > > >
> > > > > mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
> > ___________________________________________________________________________
> > > Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> > > Archives:    http://www.wireshark.org/lists/wireshark-dev
> > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> > >              mailto:wireshark-dev-request () wireshark org
> > ?subject=unsubscribe
> >
> > ___________________________________________________________________________
> > Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> > Archives:    http://www.wireshark.org/lists/wireshark-dev
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> >              mailto:wireshark-dev-request () wireshark org
> > ?subject=unsubscribe
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe