This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Packet timestamps with capinfos/tshark (lauched from cygwin) are off by several hours

0

I have a cap file captured with tcpdump on a Linux system. The first paket is known to be dated Thu Dec 06 11:47:00. This is what I see when I run capinfos -a or tcpdump -r on Linux, and also when I open the file in Wireshark on Windows.

When I run capinfos -m on Windows, I am told the time of the first packet is Thu Dec 06 16:47:00 2012. Tshark will display the same if I run it with -T fields -e frame.time.

If I run tshark on Windows with -T fields -e frame.time_epoch and convert it with date -d '@1354812420.853205000', I will get the time I want. But I'd rather not do the conversion myself.

So my question is: what is going on with my timestamps? Both machines I am using are in the same timezone and clocks are set correctly. Can I have tshark display the time I want without doing any conversions myself?

EDIT: How to reproduce

It is actually simple to reproduce. I simply captured a telnet attempt with tcpdump and ran capinfos on it.

What really bothers me is tshark and wireshark not displaying the same thing. If I play with the timestamps with editcap, they won't show up correctly in wireshark anymore.

If I capture with tshark I won't have such problem. Maybe its time to start capturing directly with tshark. I have been capturing with tcpdump out of habit (and analysing with wireshark on windows).

RHEL 5.7 (tcpdump-3.9.4-15, wireshark-1.0.15-1)

File name: cap
File type: Wireshark/tcpdump/... - libpcap
File encapsulation: Ethernet
Number of packets: 5
File size: 450 bytes
Data size: 346 bytes
Capture duration: 3.117839 seconds
Start time: Mon Dec 17 10:17:44 2012
End time: Mon Dec 17 10:17:47 2012
Data rate: 110.97 bytes/s
Data rate: 887.79 bits/s
Average packet size: 69.20 bytes

On Windows (Wireshark Version 1.8.4 (SVN Rev 46250 from /trunk-1.8, cygwin)

File name:           cap
File type:           Wireshark/tcpdump/... - libpcap
File encapsulation:  Ethernet
Packet size limit:   file hdr: 96 bytes
Number of packets:   5
File size:           450 bytes
Data size:           346 bytes
Capture duration:    3 seconds
Start time:          Mon Dec 17 15:17:44 2012
End time:            Mon Dec 17 15:17:47 2012
Data byte rate:      110.97 bytes/sec
Data bit rate:       887.79 bits/sec
Average packet size: 69.20 bytes
Average packet rate: 1.60 packets/sec
SHA1:                93e5fbf5bf7a6df1f6da066977335890c50e74e8
RIPEMD160:           c866a969118d29e58f65adf1a91faf1726430965
MD5:                 35870c270f932cecfb838b091afe7797
Strict time order:   True

EDIT 2

The timezone is identical on both systems. The simplest way to see it:

# RHEL
date -R
Mon, 17 Dec 2012 11:56:34 -0500

CYGWIN

LANG=en date -R Mon, 17 Dec 2012 11:56:00 -0500

On Linux TZ is not set. /etc/timezone does not exist on RHEL. But here’s what I have in /etc/sysconfig/clock:

ZONE="America/Montreal"
UTC=true
ARC=false

On Windows, TZ is not set. But the date gui shows the right zone as well as regedit:

 standardname        REG_SZ  Eastern Standard Time

This whole problem seems to revolve around UTC. The dates I see in capinfos and tshark are UTC.

asked 13 Dec ‘12, 12:31

PhilippeA's gravatar image

PhilippeA
6114
accept rate: 0%

edited 11 Mar ‘16, 16:01

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

can you post that file somewhere (cloudshark.org)?

(14 Dec ‘12, 07:48) Kurt Knochner ♦

See http://cloudshark.org/captures/50cca25994ec. The timestamp in cloudshark shows correctly (10:17:44). But it should not with tshark/capinfos. Please also see my question edit. Thanks.

(17 Dec ‘12, 07:55) PhilippeA

Did you look at my answer below? Can you show the output of set TZ from the command prompt where you call capinfos\tshark?

(17 Dec ‘12, 08:13) grahamb ♦

Eastern Standard Time == GMT - 5, so it looks like your windows system shows GMT time (5 hours difference).

(17 Dec ‘12, 10:30) Kurt Knochner ♦


2 Answers:

1

By default, Wireshark and associated programs follow the timezone setting of the user, and display times in the users local timezone.

I would guess that the timezone setting for the command prompt on the windows systems where you are running the errant capinfos and tshark have a timezone that is set 5 hours earlier than the linux system.

Edit:

After your edit 2 about the timezone settings I'm a bit confused. On Windows are you running a Windows version or a Linux version run with Cygwin? If you are using a Windows version then try running it under a normal Windows Cmd Prompt or PowerShell rather than Cygwin.

answered 14 Dec '12, 08:17

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 17 Dec '12, 09:34

The date command output is from Cygwin. I checked the rest in cmd. The bottom line remains the same: my clocks and timezones are consistent.

(17 Dec '12, 11:02) PhilippeA

what happens if you run capinfos from outside of cygwin?

(17 Dec '12, 11:06) Kurt Knochner ♦

Cygwin was the culprit. The TZ is set in cygwin. I don't understand why, but disabling it solves my issue.

(17 Dec '12, 12:01) PhilippeA

Good! Please accept the answer of @grahamb for the benefit of other users.

(17 Dec '12, 12:07) Kurt Knochner ♦

0

it shows the same timestamp on my Ubuntu 12.04 and my Win XP system (see below), but a different time than on your system, which is due to a different time zone (here: CET). So I guess, it's a timezone problem, as already mentioned by @grahamb.

What is the output of these commands on your systems?

Windows: reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation /v standardname | FIND "REG_SZ"

Windows: set | find "TZ"

Linux: cat /etc/timezone

Linux: echo $TZ

Windows XP

Z:\ask.wireshark.org>capinfos timestamp.cap
File name:           timestamp.cap
File type:           Wireshark/tcpdump/... - libpcap
File encapsulation:  Ethernet
Packet size limit:   file hdr: 96 bytes
Number of packets:   5
File size:           450 bytes
Data size:           346 bytes
Capture duration:    3 seconds
Start time:          Mon Dec 17 16:17:44 2012
End time:            Mon Dec 17 16:17:47 2012
Data byte rate:      110.97 bytes/sec
Data bit rate:       887.79 bits/sec
Average packet size: 69.20 bytes
Average packet rate: 1.60 packets/sec
SHA1:                93e5fbf5bf7a6df1f6da066977335890c50e74e8
RIPEMD160:           c866a969118d29e58f65adf1a91faf1726430965
MD5:                 35870c270f932cecfb838b091afe7797
Strict time order:   True

Z:\ask.wireshark.org>tshark -nr timestamp.cap -T fields -e frame.time Dec 17, 2012 16:17:44.234821000 Dec 17, 2012 16:17:44.234822000 Dec 17, 2012 16:17:44.234835000 Dec 17, 2012 16:17:47.352494000 Dec 17, 2012 16:17:47.352660000

Ubuntu 12.04

[email protected]:/$ capinfos timestamp.cap
File name:           timestamp.cap
File type:           Wireshark/tcpdump/… - libpcap
File encapsulation:  Ethernet
Packet size limit:   file hdr: 96 bytes
Number of packets:   5
File size:           450 bytes
Data size:           346 bytes
Capture duration:    3 seconds
Start time:          Mon Dec 17 16:17:44 2012
End time:            Mon Dec 17 16:17:47 2012
Data byte rate:      110.97 bytes/sec
Data bit rate:       887.79 bits/sec
Average packet size: 69.20 bytes
Average packet rate: 1.60 packets/sec
SHA1:                93e5fbf5bf7a6df1f6da066977335890c50e74e8
RIPEMD160:           c866a969118d29e58f65adf1a91faf1726430965
MD5:                 35870c270f932cecfb838b091afe7797
Strict time order:   True

[email protected]:$ tshark -nr timestamp.cap -T fields -e frame.time Dec 17, 2012 16:17:44.234821000 Dec 17, 2012 16:17:44.234822000 Dec 17, 2012 16:17:44.234835000 Dec 17, 2012 16:17:47.352494000 Dec 17, 2012 16:17:47.352660000

[email protected]:$ tcpdump -nr /tmp/timestamp.cap reading from file /tmp/timestamp.cap, link-type EN10MB (Ethernet) 16:17:44.234821 IP 127.0.0.1.25533 > 127.0.0.1.18009: Flags [S], seq 4185924599, win 32792, options [mss 16396,sackOK,TS val 3539423714 ecr 0,nop,wscale 7], length 0 16:17:44.234822 IP 127.0.0.1.18009 > 127.0.0.1.25533: Flags [S.], seq 4191217688, ack 4185924600, win 32768, options [mss 16396,sackOK,TS val 3539423714 ecr 3539423714,nop,wscale 7], length 0 16:17:44.234835 IP 127.0.0.1.25533 > 127.0.0.1.18009: Flags [.], ack 1, win 257, options [nop,nop,TS val 3539423714 ecr 3539423714], length 0 16:17:47.352494 IP 127.0.0.1.25533 > 127.0.0.1.18009: Flags [F.], seq 1, ack 1, win 257, options [nop,nop,TS val 3539426832 ecr 3539423714], length 0 16:17:47.352660 IP 127.0.0.1.18009 > 127.0.0.1.25533: Flags [R.], seq 1, ack 2, win 256, options [nop,nop,TS val 3539426832 ecr 3539426832], length 0

Regards
Kurt

answered 17 Dec ‘12, 08:09

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 17 Dec ‘12, 08:21