This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

PCAPNG: timestamps get changed when tshark reads and saves a pcang file

0

When you try to read a pcapng file and save it to a new pcapng file, the timestamp was trimmed down! The decimal place is moved to the front and the last digit is rounded off. The timestamp is no longer correct. Could anyone please help how to correct it? Thanks a lot!

--------------------------------------------------
$ tshark -r capture.20120625.pcapng -t e | head -3
1 1340398414.509256500 Cisco_fe:3b:7d -> Spanning-tree-(for-bridges)_00 STP 53 RST. Root = 32768/20/00:05:73:fe:3b:81  Cost = 0  Port = 0x80b6
2 1340398416.805447300 Cisco_fe:3b:7d -> Spanning-tree-(for-bridges)_00 STP 53 RST. Root = 32768/20/00:05:73:fe:3b:81  Cost = 0  Port = 0x80b6
3 1340398417.391487800 Cisco_fe:3b:7d -> CDP/VTP/DTP/PAgP/UDLD UDLD 128 Device ID: SSI1516004B  Port ID: Ethernet1/50/2enter code here`
--------------------------------------------------
$ tshark -F pcapng -r capture.20120625.pcapng -w testout.pcapng -c 3



$ tshark -r testout.pcapng -t e | head -3
1 134039841.450925600 Cisco_fe:3b:7d -> Spanning-tree-(for-bridges)_00 STP 53 RST. Root = 32768/20/00:05:73:fe:3b:81  Cost = 0  Port = 0x80b6
2 134039841.680544700 Cisco_fe:3b:7d -> Spanning-tree-(for-bridges)_00 STP 53 RST. Root = 32768/20/00:05:73:fe:3b:81  Cost = 0  Port = 0x80b6
3 134039841.739148700 Cisco_fe:3b:7d -> CDP/VTP/DTP/PAgP/UDLD UDLD 128 Device ID: SSI1516004B  Port ID: Ethernet1/50/2
————————————————–

asked 02 Jul ‘12, 20:54

Holy's gravatar image

Holy
1113
accept rate: 0%

edited 03 Jul ‘12, 16:08

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

2 Answers:

1

I tried this in 1.8.0 (well, actually the trunk) and did not have the problem. Are you using 1.8.0 or a previous version? If you're using an older version, please upgrade.

If you're using 1.8.0, please file a bug report.

answered 03 Jul '12, 11:35

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

1

That's not losing precision, that's getting significantly changed - the integer portions of 1340398414.509256500 and 134039841.450925600 are significantly different.

Please file a bug against whatever versions of Wireshark have this problem, even if it's prior to 1.8.0. TShark might be failing to set the time stamp resolution correctly in the Interface Description Block(s) in the output file:

$ bc
bc 1.06
Copyright 1991-1994, 1997, 1998, 2000 Free Software Foundation, Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'. 
1340398414.509256500/134039841.450925600
10

so the resolution might be off by a factor of 10.

answered 03 Jul '12, 16:12

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thank you for your quick response!

I checked that my if_tsresol field in the original IS block is 7. So effectively the timestamp lost its least significant digit but the program still wanted to maintain the original number of decimal places. As a result, the decimal point is moved to the front by 1 digit.

I am using:

libpcap-1.3.0
wireshark-1.8.0 ( downloaded from http://www.wireshark.org/download.html )

Are there any other components that may affect the precision?

Thanks again!

(03 Jul '12, 17:29) Holy

Are there any other components that may affect the precision?

I don't know. Please file a bug on this on the Wireshark Bugzilla, so that we can track it and note when it's fixed.

(03 Jul '12, 17:54) Guy Harris ♦♦

It's here now: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7457

(08 Jul '12, 18:58) Holy

Fixed in rev 43649, and fix backported to the 1.8 branch, so it'll be fixed in 1.8.1. It's not TShark-specific - anything that reads pcap-ng files with an interface that doesn't have the default 1-microsecond time stamp resolution and writes out packets from that interface will get it wrong.

(10 Jul '12, 12:21) Guy Harris ♦♦