Re: Time Display issues opening traces

[Chris Alton <enfiniti27 () hotmail com>]

Thanks a lot for that explanation Guy that gives me everything I needed.  I figured that was probably the case but I 
swore I remembered Wireshark (or Ethereal) not doing that in the past but I missed that it seems :).

I guess I'll have to wait for pcap-ng to become more prevalent before I'll get my wish.



> From: guy () alum mit edu
> Date: Fri, 10 Jun 2011 12:49:12 -0700
> To: wireshark-users () wireshark org
> Subject: Re: [Wireshark-users] Time Display issues opening traces
>
>
> On Jun 10, 2011, at 12:39 PM, Chris Alton wrote:
>
> > That method would work if I knew what timezone the trace was from but I get traces from all kinds of different Time 
> > Zones and I'd have to change that quite often.
> >
> > I'm also pretty sure that Wireshark didn't used to do this in the past but I may be remembering incorrectly.
>
> pcap and pcap-ng files store the time stamp as UTC (*not* as local time where the traffic was captured), and 
> Wireshark converts and has always (dating back to before it was called Wireshark) converted it to local time.
>
> You would, therefore, have to change the time zone setting every time you look at a trace in a different time zone.  
> pcap-ng, but not pcap, has the ability to record something indicating the time zone setting for a capture, but 
> currently it's not well specified - it's currently specified as a 4-byte value with an unspecified meaning - and not 
> supported.
>
> > I'm also kind of confused as to why changing the times in a network trace to the local timezone would actually be 
> > of any help in the first place. I seriously tried to think of a reason and was unable to come up with anything :)
>
> At least for pcap and pcap-ng captures - and for newer NetMon captures - it's not *changing* the time to the local 
> time zone, it's displaying it *in* the local time zone, rather than as UTC; the alternative would be to display it as 
> UTC, which, for most locations, would require you to, well, mentally compensate for the time zone difference.
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe