Wireshark mailing list archives

Re: adding IRIG time and time of day

From: "John Dill" <John.Dill () greenfieldeng com>
Date: Sat, 2 Nov 2013 19:36:02 -0400

Date: Fri, 1 Nov 2013 14:18:04 -0700
From: Guy Harris <guy () alum mit edu>
To: Developer support list for Wireshark <wireshark-dev () wireshark org>
Subject: Re: [Wireshark-dev] adding IRIG time and time of day
Message-ID: <7D6992B1-A55A-45A6-948D-117DC8C29D22 () alum mit edu>
Content-Type: text/plain; charset=iso-8859-1


On Nov 1, 2013, at 1:39 PM, John Dill <John.Dill () greenfieldeng com> wrote:

I just finished installing the latest version of wireshark 1.10.2 and was able to build it successfully for Windows 
7 using the recommended procedure in the developer's guide.

One of the things that I'd like to tweak is to add an IRIG time of day to the list of Time Display Formats.


Note that View -> Time Display Format controls the way packet time stamps are displayed, so the only formats that make 
sense are formats where you can >take a count of seconds and nanoseconds since January 1, 1970, 00:00:00 UTC and 
convert it to that format.  Nothing else is implementable.

If, however, the file contains IRIG time stamps *in addition to* the packet time stamp read by Wireshark, it might be 
possible to have an IRIG time >stamp column, separate from the "Time" column.


The issue is that my packet stream is synchronized to an IRIG time code generator and would like to display the date 
in the following format.

(day) hh:mm:ss.nnnnnnnnn

The timestamp is populated with a time of day starting with day 1 as Jan 1 12:00:00am and wraps around at either day 
365 or 366 which corresponds to >Dec 31, 11:59:59pm.  One slight issue is that the IRIG time does not capture the 
year, so some method will be needed to specify whether the date the >leap year. I could use a heuristic like the 
date from the file, or use Ctrl + Alt + 8 to cycle between leap year and non-leap year displays.

The data is not collected from Wireshark directly, but from an external board that uses a modified pcap driver 
(cpcap) that I use to stream >collected packets to file.


What is the file format?  Where does it store the IRIG time stamps?


The file is NTAR (another name for pcap-ng?).  The software stores the 64-bit IRIG timestamp in the Timestamp 
(High)/Timestamp (Low) field of a Packet Block.  It's injected into the packet stream from a 10-nanosecond resolution 
clock on the capture board that is synchronized to an external IRIG-B timecode.  It's used to synchronize the time of 
the packet stream with ARINC 429 and MIL-STD-1553 data streams, which are also IRIG-B time coded.

IRIG-B is a time format that is simply a count of seconds since Jan 1 at midnight UTC, not from 1970.

   +---------------------------------------------------------------+
 0 |                    Block Type = 0x00000006                    |
   +---------------------------------------------------------------+
 4 |                      Block Total Length                       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 8 |                         Interface ID                          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
12 |                        Timestamp (High)                       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ IRIG-B Timestamp
16 |                        Timestamp (Low)                        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
20 |                         Captured Len                          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
24 |                          Packet Len                           |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
28 /                                                               /
   /                          Packet Data                          /
   /          /* variable length, aligned to 32 bits */            /
   /                                                               /
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   /                                                               /
   /                      Options (variable)                       /
   /                                                               /
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                      Block Total Length                       |
   +---------------------------------------------------------------+

Isn't the time column displayed based on the contents of Timestamp (High)/Timestamp (Low)?  I figure that adding 
another display option should be feasible to handle this special case.  Everything looks fine when I use the UTC time 
without the date, but with a date it's wrong as it displays a date in 1970.

Best regards,
John D.

<<winmail.dat>>

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

adding IRIG time and time of day John Dill (Nov 01)
- Re: adding IRIG time and time of day Guy Harris (Nov 01)
- Re: adding IRIG time and time of day Guy Harris (Nov 04)
  - Re: adding IRIG time and time of day Guy Harris (Nov 04)
- <Possible follow-ups>
- Re: adding IRIG time and time of day John Dill (Nov 02)
  - Re: adding IRIG time and time of day Guy Harris (Nov 02)
- Re: adding IRIG time and time of day John Dill (Nov 04)
- Re: adding IRIG time and time of day John Dill (Nov 05)
  - Re: adding IRIG time and time of day Guy Harris (Nov 05)
- Re: adding IRIG time and time of day John Dill (Nov 05)
  - Re: adding IRIG time and time of day Guy Harris (Nov 06)
- Re: adding IRIG time and time of day John Dill (Nov 07)