Re: local timestamp recovery of .cap files

[Jefferson Ogata <Jefferson.Ogata () noaa gov>]

On 2009-05-15 01:48, Guy Harris wrote:
> pcap-NG:
>
>     http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
>
> can store a 4-byte "Time zone for GMT support" value of unspecified 
> interpretation (probably a seconds-from-GMT offset), although, if the 
> capture crosses a standard time/summer time boundary either at the 
> location where it's captured or the location at which it's read, that's 
> not sufficient.  Unfortunately, there isn't a universal standard for 
> specifying time zones - the Olson time zone names are a 
> sort-of-standard, but not all OSes use them (many popular ones do, but 
> the "most popular one", i.e. Windows, doesn't), and even for those that 
> do some of them don't use the current names (Solaris is still living in 
> the past there).
>
> It can also store, on a per-interface basis, the IPv4, IPv6, and MAC or 
> EUI addresses for the interface, as well as storing name-to-IPv4-address 
> and name-to-IPv6 address mappings.
>
> Of course, there is no *requirement* that any of that information be 
> present, so you'd need to have the programs doing the capturing store 
> the relevant information.

But the point of storing the mostly irrelevant zone data as metadata is 
so that it can be recorded when pcap timestamps are UTC, as they always 
should have been. I'd like to find the person who decided to store 
localtime instead of gmtime in the pcap timestamp field and smack him or 
her with a large sock filled with horse manure.

--
Jefferson Ogata <Jefferson.Ogata () noaa gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov>
"Never try to retrieve anything from a bear."--National Park Service
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.