diff options
author | guy <guy@f5534014-38df-0310-8fa8-9805f1628bb7> | 2004-02-06 04:27:19 +0000 |
---|---|---|
committer | guy <guy@f5534014-38df-0310-8fa8-9805f1628bb7> | 2004-02-06 04:27:19 +0000 |
commit | b7f0cf5dc05842d1546cbd16b78341d712895b94 (patch) | |
tree | 04efef31dac1d0c569b7d49bb3f864a576a4e3ef /wiretap | |
parent | 23e6ab1c14def73b306bd40bac37038de3d72c8b (diff) |
The time stamps in *Peek V9 files appear to be in nanoseconds from the
Windows FILETIME epoch, i.e. midnight, January 1, 1601.
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@9993 f5534014-38df-0310-8fa8-9805f1628bb7
Diffstat (limited to 'wiretap')
-rw-r--r-- | wiretap/airopeek9.c | 31 |
1 files changed, 19 insertions, 12 deletions
diff --git a/wiretap/airopeek9.c b/wiretap/airopeek9.c index 8b04a36e59..5cabb07e40 100644 --- a/wiretap/airopeek9.c +++ b/wiretap/airopeek9.c @@ -1,7 +1,7 @@ /* airopeek9.c * Routines for opening EtherPeek and AiroPeek V9 files * - * $Id: airopeek9.c,v 1.7 2004/02/06 03:12:21 guy Exp $ + * $Id: airopeek9.c,v 1.8 2004/02/06 04:27:19 guy Exp $ * * Wiretap Library * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu> @@ -65,14 +65,12 @@ typedef struct airopeek_section_header { #define TAG_AIROPEEK_V9_UNKNOWN_0x000D 0x000D #define TAG_AIROPEEK_V9_SLICE_LENGTH 0xffff -/* 64-bit time in nano seconds from the (Mac) epoch */ +/* 64-bit time in nanoseconds from the (Windows FILETIME) epoch */ typedef struct airopeek_utime { guint32 upper; guint32 lower; } airopeek_utime; -static const unsigned int mac2unix = 2082844800u; - static gboolean airopeekv9_read(wtap *wth, int *err, gchar **err_info, long *data_offset); static gboolean airopeekv9_seek_read(wtap *wth, long seek_off, @@ -193,7 +191,7 @@ int airopeek9_open(wtap *wth, int *err, gchar **err_info) * XXX - we should get the length of the "\177ver" section, check * that it's followed by a little-endian 0x00000200, and then, * when reading the XML, make sure we don't go past the end of - * that section, and skip to the end of tha section when + * that section, and skip to the end of that section when * we have the file version (and possibly check to make sure all * tags are properly opened and closed). */ @@ -212,7 +210,7 @@ int airopeek9_open(wtap *wth, int *err, gchar **err_info) /* If we got this far, we assume it's an AiroPeek V9 file. */ if (fileVersion != 9) { - /* We only support version 9 and later. */ + /* We only support version 9. */ *err = WTAP_ERR_UNSUPPORTED; *err_info = g_strdup_printf("airopeekv9: version %u unsupported", fileVersion); @@ -285,7 +283,7 @@ int airopeek9_open(wtap *wth, int *err, gchar **err_info) return 0; /* - * This is an AiroPeek V9 file. + * This is an EtherPeek or AiroPeek V9 file. */ wth->data_offset = file_tell (wth->fh); @@ -409,6 +407,16 @@ airopeekv9_process_header(FILE_T fh, hdr_info_t *hdr_info, int *err) return header_len; } +/* + * Time stamps appear to be in nanoseconds since the Windows epoch + * as used in FILETIMEs, i.e. midnight, January 1, 1601. + * + * This magic number came from "nt_time_to_nstime()" in "packet-smb.c". + * 1970-1601 is 369; I'm not sure what the extra 3 days and 6 hours are + 8 that are being subtracted. + */ +#define TIME_FIXUP_CONSTANT (369.0*365.25*24*60*60-(3.0*24*60*60+6.0*60*60)) + static gboolean airopeekv9_read(wtap *wth, int *err, gchar **err_info _U_, long *data_offset) { @@ -454,11 +462,10 @@ static gboolean airopeekv9_read(wtap *wth, int *err, gchar **err_info _U_, t = (double) hdr_info.timestamp.lower + (double) hdr_info.timestamp.upper * 4294967296.0; - t = t / 1000.0; /* nano seconds -> micro seconds */ - t -= (double) mac2unix * 1000000.0; - wth->phdr.ts.tv_sec = (time_t) (t/1000000.0); - wth->phdr.ts.tv_usec = (guint32) (t - (double) wth->phdr.ts.tv_sec * - 1000000.0); + t *= 1.0e-9; + t -= TIME_FIXUP_CONSTANT; + wth->phdr.ts.tv_sec = (time_t) t; + wth->phdr.ts.tv_usec = (guint32) ((t - wth->phdr.ts.tv_sec)*1000000); switch (wth->file_encap) { |