Packet timestamps with capinfos/tshark (lauched from cygwin) are off by several hours

Question

I have a cap file captured with tcpdump on a Linux system. The first paket is known to be dated Thu Dec 06 11:47:00. This is what I see when I run capinfos -a or tcpdump -r on Linux, and also when I open the file in Wireshark on Windows.

When I run capinfos -m on Windows, I am told the time of the first packet is Thu Dec 06 16:47:00 2012. Tshark will display the same if I run it with -T fields -e frame.time.

If I run tshark on Windows with -T fields -e frame.time_epoch and convert it with date -d '@1354812420.853205000', I will get the time I want. But I'd rather not do the conversion myself.

So my question is: what is going on with my timestamps? Both machines I am using are in the same timezone and clocks are set correctly. Can I have tshark display the time I want without doing any conversions myself?

EDIT: How to reproduce

It is actually simple to reproduce. I simply captured a telnet attempt with tcpdump and ran capinfos on it.

What really bothers me is tshark and wireshark not displaying the same thing. If I play with the timestamps with editcap, they won't show up correctly in wireshark anymore.

If I capture with tshark I won't have such problem. Maybe its time to start capturing directly with tshark. I have been capturing with tcpdump out of habit (and analysing with wireshark on windows).

RHEL 5.7 (tcpdump-3.9.4-15, wireshark-1.0.15-1)

File name: cap
File type: Wireshark/tcpdump/... - libpcap
File encapsulation: Ethernet
Number of packets: 5
File size: 450 bytes
Data size: 346 bytes
Capture duration: 3.117839 seconds
Start time: Mon Dec 17 10:17:44 2012
End time: Mon Dec 17 10:17:47 2012
Data rate: 110.97 bytes/s
Data rate: 887.79 bits/s
Average packet size: 69.20 bytes

On Windows (Wireshark Version 1.8.4 (SVN Rev 46250 from /trunk-1.8, cygwin)

File name:           cap
File type:           Wireshark/tcpdump/... - libpcap
File encapsulation:  Ethernet
Packet size limit:   file hdr: 96 bytes
Number of packets:   5
File size:           450 bytes
Data size:           346 bytes
Capture duration:    3 seconds
Start time:          Mon Dec 17 15:17:44 2012
End time:            Mon Dec 17 15:17:47 2012
Data byte rate:      110.97 bytes/sec
Data bit rate:       887.79 bits/sec
Average packet size: 69.20 bytes
Average packet rate: 1.60 packets/sec
SHA1:                93e5fbf5bf7a6df1f6da066977335890c50e74e8
RIPEMD160:           c866a969118d29e58f65adf1a91faf1726430965
MD5:                 35870c270f932cecfb838b091afe7797
Strict time order:   True

EDIT 2

The timezone is identical on both systems. The simplest way to see it:

# RHEL date -R Mon, 17 Dec 2012 11:56:34 -0500 CYGWIN

LANG=en date -R Mon, 17 Dec 2012 11:56:00 -0500

On Linux TZ is not set. /etc/timezone does not exist on RHEL. But here’s what I have in /etc/sysconfig/clock:

ZONE="America/Montreal"
UTC=true
ARC=false

On Windows, TZ is not set. But the date gui shows the right zone as well as regedit:

 standardname        REG_SZ  Eastern Standard Time

This whole problem seems to revolve around UTC. The dates I see in capinfos and tshark are UTC.

Accepted Answer

By default, Wireshark and associated programs follow the timezone setting of the user, and display times in the users local timezone.

I would guess that the timezone setting for the command prompt on the windows systems where you are running the errant capinfos and tshark have a timezone that is set 5 hours earlier than the linux system.

Edit:

After your edit 2 about the timezone settings I'm a bit confused. On Windows are you running a Windows version or a Linux version run with Cygwin? If you are using a Windows version then try running it under a normal Windows Cmd Prompt or PowerShell rather than Cygwin.

Answer 2

it shows the same timestamp on my Ubuntu 12.04 and my Win XP system (see below), but a different time than on your system, which is due to a different time zone (here: CET). So I guess, it's a timezone problem, as already mentioned by @grahamb.

What is the output of these commands on your systems?

Windows: reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation /v standardname | FIND "REG_SZ"

Windows: set | find "TZ"

Linux: cat /etc/timezone

Linux: echo $TZ

Windows XP

Z:\ask.wireshark.org>capinfos timestamp.cap File name: timestamp.cap File type: Wireshark/tcpdump/... - libpcap File encapsulation: Ethernet Packet size limit: file hdr: 96 bytes Number of packets: 5 File size: 450 bytes Data size: 346 bytes Capture duration: 3 seconds Start time: Mon Dec 17 16:17:44 2012 End time: Mon Dec 17 16:17:47 2012 Data byte rate: 110.97 bytes/sec Data bit rate: 887.79 bits/sec Average packet size: 69.20 bytes Average packet rate: 1.60 packets/sec SHA1: 93e5fbf5bf7a6df1f6da066977335890c50e74e8 RIPEMD160: c866a969118d29e58f65adf1a91faf1726430965 MD5: 35870c270f932cecfb838b091afe7797 Strict time order: True

Z:\ask.wireshark.org>tshark -nr timestamp.cap -T fields -e frame.time Dec 17, 2012 16:17:44.234821000 Dec 17, 2012 16:17:44.234822000 Dec 17, 2012 16:17:44.234835000 Dec 17, 2012 16:17:47.352494000 Dec 17, 2012 16:17:47.352660000

Ubuntu 12.04

[email protected]:/$ capinfos timestamp.cap File name: timestamp.cap File type: Wireshark/tcpdump/… - libpcap File encapsulation: Ethernet Packet size limit: file hdr: 96 bytes Number of packets: 5 File size: 450 bytes Data size: 346 bytes Capture duration: 3 seconds Start time: Mon Dec 17 16:17:44 2012 End time: Mon Dec 17 16:17:47 2012 Data byte rate: 110.97 bytes/sec Data bit rate: 887.79 bits/sec Average packet size: 69.20 bytes Average packet rate: 1.60 packets/sec SHA1: 93e5fbf5bf7a6df1f6da066977335890c50e74e8 RIPEMD160: c866a969118d29e58f65adf1a91faf1726430965 MD5: 35870c270f932cecfb838b091afe7797 Strict time order: True [email protected]:$ tshark -nr timestamp.cap -T fields -e frame.time Dec 17, 2012 16:17:44.234821000 Dec 17, 2012 16:17:44.234822000 Dec 17, 2012 16:17:44.234835000 Dec 17, 2012 16:17:47.352494000 Dec 17, 2012 16:17:47.352660000

[email protected]:$ tcpdump -nr /tmp/timestamp.cap reading from file /tmp/timestamp.cap, link-type EN10MB (Ethernet) 16:17:44.234821 IP 127.0.0.1.25533 > 127.0.0.1.18009: Flags [S], seq 4185924599, win 32792, options [mss 16396,sackOK,TS val 3539423714 ecr 0,nop,wscale 7], length 0 16:17:44.234822 IP 127.0.0.1.18009 > 127.0.0.1.25533: Flags [S.], seq 4191217688, ack 4185924600, win 32768, options [mss 16396,sackOK,TS val 3539423714 ecr 3539423714,nop,wscale 7], length 0 16:17:44.234835 IP 127.0.0.1.25533 > 127.0.0.1.18009: Flags [.], ack 1, win 257, options [nop,nop,TS val 3539423714 ecr 3539423714], length 0 16:17:47.352494 IP 127.0.0.1.25533 > 127.0.0.1.18009: Flags [F.], seq 1, ack 1, win 257, options [nop,nop,TS val 3539426832 ecr 3539423714], length 0 16:17:47.352660 IP 127.0.0.1.18009 > 127.0.0.1.25533: Flags [R.], seq 1, ack 2, win 256, options [nop,nop,TS val 3539426832 ecr 3539426832], length 0

Regards
Kurt