According to mail from Paul Long at Microsoft, in the 1.x NetMon file

format, the time offset from the start of the capture always had a positive value, so it's an unsigned value. (In newer versions of NetMon 3.x, the capture can start before the "capture start" time stamp is set, so packets can have a *negative* offset from the capture start time stamp. Those captures are in the 2.x file format.) svn path=/trunk/; revision=33607
author: Guy Harris <guy@alum.mit.edu> 2010-07-21 16:25:59 +0000
committer: Guy Harris <guy@alum.mit.edu> 2010-07-21 16:25:59 +0000
commit: 45c49c957fb914c667e470f8f523ed4b7446d4b9 (patch)
tree: 93c9366276c771480f7c5cfff519c3d16ea79e7c /wiretap/netmon.c
parent: ba6c5161ba580eed73bb665f8df902dac6b683e7 (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/wiretap/netmon.c b/wiretap/netmon.c
index a5ac170995..761b7afbc0 100644
--- a/wiretap/netmon.c
+++ b/wiretap/netmon.c
@@ -516,7 +516,13 @@ again:
 	switch (netmon->version_major) {
 
 	case 1:
-		delta = ((gint32)pletohl(&hdr.hdr_1_x.ts_delta))*1000;
+		/*
+		 * According to Paul Long, this offset is unsigned.
+		 * It's 32 bits, so the maximum value will fit in
+		 * a gint64 such as delta, even after multiplying
+		 * it by 1000.
+		 */
+		delta = ((guint32)pletohl(&hdr.hdr_1_x.ts_delta))*1000;
 		break;
 
 	case 2:
author	Guy Harris <guy@alum.mit.edu>	2010-07-21 16:25:59 +0000
committer	Guy Harris <guy@alum.mit.edu>	2010-07-21 16:25:59 +0000
commit	45c49c957fb914c667e470f8f523ed4b7446d4b9 (patch)
tree	93c9366276c771480f7c5cfff519c3d16ea79e7c /wiretap/netmon.c
parent	ba6c5161ba580eed73bb665f8df902dac6b683e7 (diff)