Time Zone Setting in a PCAP-NG file

[Paul Offord <Paul.Offord () advance7 com>]

Hi,

I need some guidance on the time zone settings in a PCAP-NG file.

I have a pcapng file captured in the UK on 12th October 2016.  That means that the time zone at the time of capture was 
GMT +1.  There is a trace entry in this trace that shows in Wireshark today as 15:40:31.541142.  A screenshot taken at 
the time of the trace entry shows a clock time of 15:40.

[cid:image003.jpg@01D27FDD.19379A20]

If I look inside the pcapng file with a hex editor, there is no if_tzone option set in the IDB.  The EPB for the trace 
entry I've referred to above has:


*        Timezone High - 0xAB3E0500

*        Timezone Low - 0xC0B1FE22

If there is no time reference setting in the trace file, how does Wireshark know that the file was recorded in GMT +1 
timezone.

This isn't just idle curiosity.  I've written a trace format converter that converts IIS Logs into pcapng files.  IIS 
logs are recorded with GMT times by default.  The converter works OK but the timestamps in the packet list of the 
resulting converted file shows as though I am looking at GMT (see image below).  So I have an IIS log entry that 
matches the network trace entry above but shows as 14:40:31.

[cid:image004.jpg@01D27FDD.19379A20]


I've tried coding for the if_tzone IDB option and setting it to zero (GMT) but it makes no difference.

How do I get Wireshark to convert the time of a GMT trace entry to local time?

Thanks and regards...Paul

______________________________________________________________________

This message contains confidential information and is intended only for the individual named. If you are not the named 
addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if 
you have received this e-mail by mistake and delete this e-mail from your system.

Any views or opinions expressed are solely those of the author and do not necessarily represent those of Advance Seven 
Ltd. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, 
corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept 
liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission.

Advance Seven Ltd. Registered in England & Wales numbered 2373877 at Endeavour House, Coopers End Lane, Stansted, Essex 
CM24 1SJ

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe