This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Convert us-timestamp to absolute_time

0

Hi there,

I am currently implementing a dissector in lua and I'm stuck with converting my microsecond timestamp to absolute_time. This is what I'm currenly doing:

local pl_timestamp = ProtoField.absolute_time('xxx.timestamp', 'Timestamp', base.LOCAL)
...      
local tmp1 = (buffer(0,8):le_uint64()) * 1000
local tmp2 = tmp1:tohex()
local tvb = ByteArray.new(tmp2):tvb("Time")
subtree:add(pl_timestamp, tvb(0,8))

I also tried it with a fixed time that I'm sure is correct:

local tvb = ByteArray.new("13FCC7343B5EA000"):tvb("Time")

At the output I get a completely wrong date. I guess the absolute_time is a ns-timestamp counting the ns since 1.1.1970 1:00:00 right? Anybody an idea what I'm doing wrong here?

I'm greatful for every advise. Enno

asked 22 Aug '15, 05:20

enno's gravatar image

enno
11114
accept rate: 0%

Using local tvb = ByteArray.new("13FCC7343B5EA000"):tvb("Time") I get Aug 17, 1980 - which according to epochconverter.com is correct.

What is it you expect it to be, and why?

(22 Aug '15, 06:37) Hadriel

Oh, and why are you getting the buffer's bytes, multiplying times a 1000, converting to hex, creating a new Tvb, and then using that new Tvb for the time?

(22 Aug '15, 06:46) Hadriel

Ahh, I kind of missed the first sentence, where you want to convert microseconds "timestamp" to ns-timestamp. I see what you're missing - I'll put it in an answer.

(22 Aug '15, 07:11) Hadriel
One Answer:
active answersoldest answersnewest answerspopular answers
1

Your code's logic, and your statement about "13FCC7343B5EA000" not giving you the result you expect, makes me think you expect the absolute_time to be a number - the number of nanoseconds since the Unix epoch (January 1, 1970, midnight UTC). It isn't. It's two numbers: the number of seconds, and the number of nanoseconds portion of a second. When decoded from a Tvb, wireshark expects the first 4 bytes of the given TvbRange to be the seconds, and the second 4 bytes to be the nanoseconds portion.

Thus a manufactured Tvb of the hex string "13FCC7343B5EA000" is 0x13FCC734 seconds, and 0x3B5EA000 nanoseconds. 0x13FCC734 seconds is 335333172 in decimal, and in Epoch time is Aug 17, 1980. What you probably expected was that the whole hex string became a single number (decimal of 1440245008000000000) representing the number of nanoseconds since the Epoch, which would be Aug 22, 2015.

If your packet's Tvb buffer contains just a single big number, for the number of microseconds since the Epoch, then you can convert it like so:

-- returns a UInt64 object of the microseconds in the Tvb buffer
local usecs = buffer(0,8):le_uint64()
-- gets the seconds as a Lua number
local secs  = (usecs / 1000000):tonumber()
-- gets the remainder as a Lua number, in nanoseconds
local nsecs = (usecs % 1000000):tonumber() * 1000

-- create a NSTime object using the above
local nstime = NSTime.new(secs, nsecs)

-- add it to the tree, highlighting the real buffer's bytes, but with the real NSTime value
subtree:add(pl_timestamp, buffer(0,8), nstime)

Note: I haven't tested the above, but it should (hopefully) work.

permanent link

answered 22 Aug '15, 07:37

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

Works! Thank you very much! Perfect and very fast support!

(22 Aug '15, 08:22) enno
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×1,620
×431
×75
×4
×2

question asked: 22 Aug '15, 05:20

question was seen: 3,136 times

last updated: 22 Aug '15, 08:22

Related questions

Lua: How can I detect a change of capture file?

Error while launching wireshshark

How to create multiple dissectors for same port number

Is there any way to optimize lua dissectors

absolute_time field in Lua dissector

How we can add Browse button in preferences for a Lua dissector?

Why all the elements are shown in dissection tree?

update decryption table from Lua

Which one is the best way to develop new plugin either in C or LUA.

How do .lua files get input from wireshark?

about | faq | privacy | support | contact

p​o​w​e​r​e​d by O​S​Q​A