Re: Doubt regarding absolute time in wireshark

[Guy Harris <guy () alum mit edu>]

On Dec 9, 2014, at 1:04 AM, Vishnu Bhatt <vishnu.bhatt () aricent com> wrote:

> Suppose I capture a pcap file in country ‘A’ and the the pcap file is being seen in some other machine in country 
> ‘B’. What “absolute time” should Wireshark display? I’ve seen ambiguous behavior, in some cases A’s time zone is 
> displayed and sometimes B’s timezone.

I'm assuming here that by "pcap file" you're specifically referring to files in pcap format, not just to all types of 
captures, no matter what file format they're in.

(Note also that some countries have more than one time zone, so I'll refer to "machine A" and "machine B", and their 
locations, rather than to "country A" and "country B".)

In pcap files, time stamps are supposed to be stored as seconds since January 1, 1970, 00:00:00 UTC, followed by 
microseconds (or, in a variant of that format, with a different magic number, nanoseconds) since that second.

If machines A and B are in different time zones (or have different daylight savings time/summer time rules), then, by 
default, B's time zone should be used, as, by default, the routines Wireshark uses to convert those time stamps should 
convert them to local time in the time zone of the machine on which Wireshark is running.

Pcap files have a "time zone offset" field, but no programs I know of set it in the file, so neither tcpdump nor 
Wireshark use it, nor will use it - and, as no programs I know of set it, even if they *did* use it, it wouldn't give 
you time stamps in the time zone of the machine that captured the packet.

So I'm somewhat surprised that, unless you configure machine B to be in machine A's time zone - or, on UN*X, run 
Wireshark with the TZ environment variable set for machine A's time zone - you *ever* see machine A's time zone.

The same applies to pcap-ng files, which store time stamps as units since January 1, 1970, 00:00:00 UTC.  It has a 
not-well-described option in an Interface Description Block for a time zone, but, as it's not well described, I know of 
no software that uses it.

Some other capture file formats store time stamps in local time; Wireshark converts them to UTC for internal use, using 
routines that will convert them assuming that they're in the local time of the machine running Wireshark.  This *could* 
make it appear (modulo differences in daylight savings time/summer time rules) as if it's showing the time stamps from 
machine A's time zone.  However, again, that won't happen for *pcap* files.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe