diff options
author | Bill Meier <wmeier@newsguy.com> | 2007-05-29 14:20:54 +0000 |
---|---|---|
committer | Bill Meier <wmeier@newsguy.com> | 2007-05-29 14:20:54 +0000 |
commit | 3b12c867a2b5f23a6d40197d4887b55306027d97 (patch) | |
tree | 0c695b86160109696f924ecdc8435c414dcb5750 /wiretap | |
parent | 6a6895fafa91b4e901ea159bc1a31ae2494f90ba (diff) |
Another sniffer timestamp display fix; addresses bug 866 and other reports.
(Also: change variable name to correctly reflect usage).
svn path=/trunk/; revision=21982
Diffstat (limited to 'wiretap')
-rw-r--r-- | wiretap/netxray.c | 64 | ||||
-rw-r--r-- | wiretap/wtap-int.h | 2 |
2 files changed, 48 insertions, 18 deletions
diff --git a/wiretap/netxray.c b/wiretap/netxray.c index 4d0cae8bd3..7fedc24ca0 100644 --- a/wiretap/netxray.c +++ b/wiretap/netxray.c @@ -77,7 +77,9 @@ struct netxray_hdr { guint32 linespeed; /* speed of network, in bits/second */ guint8 xxx_x40[12]; /* unknown [other stuff] */ - guint8 realtick[4]; /* in v2, means ??? */ + guint8 realtick[4]; /* (ticks/sec for Ethernet/Ndis/Timeunit=2 ?) */ + /* (realtick[1], realtick[2] also curently */ + /* used as flag for 'FCS presence') */ guint8 xxx_x50[4]; /* unknown [other stuff] */ guint8 captype; /* capture type */ @@ -168,6 +170,16 @@ struct netxray_hdr { * have 1193000. Most of those, in one set of captures somebody has, * are wrong. * + * XXX - 05/29/07: For Ethernet captype = 0 (NDIS) and timeunit = 2: + * Perusal of a number of Sniffer captures + * (including those from Wireshark bug reports + * and those from the Wireshark 'menagerie) + * suggests that 'realtick' for this case + * contains the correct ticks/second to be used. + * So: we'll use realtick for Ethernet captype=0 and timeunit=2. + * (It might be that realtick should be used for Ethernet captype = 0 + * and timeunit = 1 but I've not yet enough captures to be sure). + * * XXX - in at least one ATM capture, hdr.realtick is 1193180.0 * and hdr.timeunit is 0. Does that capture have a captype of * CAPTYPE_ATM? If so, what should the table for ATM captures with @@ -302,7 +314,7 @@ int netxray_open(wtap *wth, int *err, gchar **err_info) gboolean is_old; struct netxray_hdr hdr; guint network_type; - double timeunit; + double ticks_per_sec; int version_major, version_minor; int file_type; double start_timestamp; @@ -451,12 +463,12 @@ int netxray_open(wtap *wth, int *err, gchar **err_info) switch (file_type) { case WTAP_FILE_NETXRAY_OLD: - timeunit = 1000.0; + ticks_per_sec = 1000.0; wth->tsprecision = WTAP_FILE_TSPREC_MSEC; break; case WTAP_FILE_NETXRAY_1_0: - timeunit = 1000.0; + ticks_per_sec = 1000.0; wth->tsprecision = WTAP_FILE_TSPREC_MSEC; break; @@ -467,7 +479,7 @@ int netxray_open(wtap *wth, int *err, gchar **err_info) * rather than the milliseconds time stamps in NetXRay * and older versions of Windows Sniffer. */ - timeunit = 1000000.0; + ticks_per_sec = 1000000.0; wth->tsprecision = WTAP_FILE_TSPREC_USEC; break; @@ -493,7 +505,19 @@ int netxray_open(wtap *wth, int *err, gchar **err_info) hdr.timeunit, hdr.version); return -1; } - timeunit = TpS[hdr.timeunit]; + /* + XXX: 05/29/07: Use 'realtick' instead of TpS table in this + specific case; Using 'realtick' here results + in the correct 'ticks per second' for all the captures that + I have of this type (including captures from a number of Wirshark + bug reports). + */ + if (hdr.timeunit == 2) { + ticks_per_sec = pletohl(hdr.realtick); + } + else { + ticks_per_sec = TpS[hdr.timeunit]; + } break; case ETH_CAPTYPE_GIGPOD: @@ -505,7 +529,7 @@ int netxray_open(wtap *wth, int *err, gchar **err_info) hdr.timeunit, hdr.version); return -1; } - timeunit = TpS_gigpod[hdr.timeunit]; + ticks_per_sec = TpS_gigpod[hdr.timeunit]; /* * At least for 002.002 and 002.003 @@ -525,7 +549,7 @@ int netxray_open(wtap *wth, int *err, gchar **err_info) hdr.timeunit, hdr.version); return -1; } - timeunit = TpS_otherpod[hdr.timeunit]; + ticks_per_sec = TpS_otherpod[hdr.timeunit]; /* * At least for 002.002 and 002.003 @@ -545,7 +569,7 @@ int netxray_open(wtap *wth, int *err, gchar **err_info) hdr.timeunit, hdr.version); return -1; } - timeunit = TpS_otherpod2[hdr.timeunit]; + ticks_per_sec = TpS_otherpod2[hdr.timeunit]; /* * XXX: start time stamp in the one capture file examined of this type was 0; * We'll assume the start time handling is the same as for other pods. @@ -567,7 +591,7 @@ int netxray_open(wtap *wth, int *err, gchar **err_info) hdr.timeunit, hdr.version); return -1; } - timeunit = TpS_gigpod2[hdr.timeunit]; + ticks_per_sec = TpS_gigpod2[hdr.timeunit]; /* * XXX: start time stamp in the one capture file examined of this type was 0; * We'll assume the start time handling is the same as for other pods. @@ -598,7 +622,7 @@ int netxray_open(wtap *wth, int *err, gchar **err_info) hdr.version); return -1; } - timeunit = TpS[hdr.timeunit]; + ticks_per_sec = TpS[hdr.timeunit]; break; } @@ -612,7 +636,7 @@ int netxray_open(wtap *wth, int *err, gchar **err_info) * 1 microsecond to display more digits of precision? * XXX - Seems reasonable to use nanosecs only if TPS >= 10M */ - if (timeunit >= 1e7) + if (ticks_per_sec >= 1e7) wth->tsprecision = WTAP_FILE_TSPREC_NSEC; else wth->tsprecision = WTAP_FILE_TSPREC_USEC; @@ -620,9 +644,9 @@ int netxray_open(wtap *wth, int *err, gchar **err_info) default: g_assert_not_reached(); - timeunit = 0.0; + ticks_per_sec = 0.0; } - start_timestamp = start_timestamp/timeunit; + start_timestamp = start_timestamp/ticks_per_sec; if (network_type == 4) { /* @@ -724,7 +748,7 @@ int netxray_open(wtap *wth, int *err, gchar **err_info) wth->file_encap = file_encap; wth->snapshot_length = 0; /* not available in header */ wth->capture.netxray->start_time = pletohl(&hdr.start_time); - wth->capture.netxray->timeunit = timeunit; + wth->capture.netxray->ticks_per_sec = ticks_per_sec; wth->capture.netxray->start_timestamp = start_timestamp; wth->capture.netxray->version_major = version_major; @@ -805,6 +829,12 @@ int netxray_open(wtap *wth, int *err, gchar **err_info) * There don't seem to be any other values in any of the * xxx_x5..., xxx_x6...., xxx_x7.... fields * that obviously correspond to frames having an FCS. + * + * 05/29/07: Examination of numerous sniffer captures suggests + * that the apparent correlation of certain realtick + * bytes to 'FCS presence' may actually be + * a 'false positive'. + * ToDo: Review analysis and update code. */ if (version_major == 2) { if (hdr.realtick[1] == 0x34 && hdr.realtick[2] == 0x12) @@ -938,7 +968,7 @@ reread: if (wth->capture.netxray->version_major == 0) { t = (double)pletohl(&hdr.old_hdr.timelo) + (double)pletohl(&hdr.old_hdr.timehi)*4294967296.0; - t /= wth->capture.netxray->timeunit; + t /= wth->capture.netxray->ticks_per_sec; t -= wth->capture.netxray->start_timestamp; wth->phdr.ts.secs = wth->capture.netxray->start_time + (long)t; wth->phdr.ts.nsecs = (unsigned long)((t-(double)(unsigned long)(t)) @@ -952,7 +982,7 @@ reread: } else { t = (double)pletohl(&hdr.hdr_1_x.timelo) + (double)pletohl(&hdr.hdr_1_x.timehi)*4294967296.0; - t /= wth->capture.netxray->timeunit; + t /= wth->capture.netxray->ticks_per_sec; t -= wth->capture.netxray->start_timestamp; wth->phdr.ts.secs = wth->capture.netxray->start_time + (long)t; wth->phdr.ts.nsecs = (unsigned long)((t-(double)(unsigned long)(t)) diff --git a/wiretap/wtap-int.h b/wiretap/wtap-int.h index 73ba2ed892..15e1310b5c 100644 --- a/wiretap/wtap-int.h +++ b/wiretap/wtap-int.h @@ -107,7 +107,7 @@ typedef struct { typedef struct { time_t start_time; - double timeunit; + double ticks_per_sec; double start_timestamp; gboolean wrapped; guint32 nframes; |