Re: frame_data.abs_ts and pcap timestamp reference

[Guy Harris <guy () alum mit edu>]

On Dec 9, 2009, at 6:32 AM, RUOFF LARS wrote:

> Is frame_data.abs_ts /* Absolute timestamp */ given in UTC or local
> time?

UTC.

> Can someone give me a hint on where to search for the code that does  
> the
> conversion before display (if any)?

abs_time_to_str(), etc. in epan/to_str.c.

> Do pcap files store timestamps in UTC or local time?

UTC.  See, for example, the pcap-savefile man page in libpcap 1.0.0  
and later, or

        http://wiki.wireshark.org/Development/LibpcapFileFormat

> If UTC, do they store the time zone?

In theory, yes.  In practice, no.  There is a time zone offset field  
in the file header, but no application (tcpdump, *thereal/*shark,  
etc.) has ever set it to anything other than 0, as far as I know (I  
know that libpcap, which is what most applications use to write the  
files, sets it to 0).
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe