This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Convert us-timestamp to absolute_time

0

Hi there,

I am currently implementing a dissector in lua and I'm stuck with converting my microsecond timestamp to absolute_time. This is what I'm currenly doing:

local pl_timestamp = ProtoField.absolute_time('xxx.timestamp', 'Timestamp', base.LOCAL)
...      
local tmp1 = (buffer(0,8):le_uint64()) * 1000
local tmp2 = tmp1:tohex()
local tvb = ByteArray.new(tmp2):tvb("Time")
subtree:add(pl_timestamp, tvb(0,8))

I also tried it with a fixed time that I'm sure is correct:

local tvb = ByteArray.new("13FCC7343B5EA000"):tvb("Time")

At the output I get a completely wrong date. I guess the absolute_time is a ns-timestamp counting the ns since 1.1.1970 1:00:00 right? Anybody an idea what I'm doing wrong here?

I'm greatful for every advise. Enno

asked 22 Aug '15, 05:20

enno's gravatar image

enno
11114
accept rate: 0%

Using local tvb = ByteArray.new("13FCC7343B5EA000"):tvb("Time") I get Aug 17, 1980 - which according to epochconverter.com is correct.

What is it you expect it to be, and why?

(22 Aug '15, 06:37) Hadriel

Oh, and why are you getting the buffer's bytes, multiplying times a 1000, converting to hex, creating a new Tvb, and then using that new Tvb for the time?

(22 Aug '15, 06:46) Hadriel

Ahh, I kind of missed the first sentence, where you want to convert microseconds "timestamp" to ns-timestamp. I see what you're missing - I'll put it in an answer.

(22 Aug '15, 07:11) Hadriel

One Answer:

1

Your code's logic, and your statement about "13FCC7343B5EA000" not giving you the result you expect, makes me think you expect the absolute_time to be a number - the number of nanoseconds since the Unix epoch (January 1, 1970, midnight UTC). It isn't. It's two numbers: the number of seconds, and the number of nanoseconds portion of a second. When decoded from a Tvb, wireshark expects the first 4 bytes of the given TvbRange to be the seconds, and the second 4 bytes to be the nanoseconds portion.

Thus a manufactured Tvb of the hex string "13FCC7343B5EA000" is 0x13FCC734 seconds, and 0x3B5EA000 nanoseconds. 0x13FCC734 seconds is 335333172 in decimal, and in Epoch time is Aug 17, 1980. What you probably expected was that the whole hex string became a single number (decimal of 1440245008000000000) representing the number of nanoseconds since the Epoch, which would be Aug 22, 2015.

If your packet's Tvb buffer contains just a single big number, for the number of microseconds since the Epoch, then you can convert it like so:

-- returns a UInt64 object of the microseconds in the Tvb buffer
local usecs = buffer(0,8):le_uint64()
-- gets the seconds as a Lua number
local secs  = (usecs / 1000000):tonumber()
-- gets the remainder as a Lua number, in nanoseconds
local nsecs = (usecs % 1000000):tonumber() * 1000

– create a NSTime object using the above
local nstime = NSTime.new(secs, nsecs)


– add it to the tree, highlighting the real buffer's bytes, but with the real NSTime value
subtree:add(pl_timestamp, buffer(0,8), nstime)

Note: I haven’t tested the above, but it should (hopefully) work.

answered 22 Aug ‘15, 07:37

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

Works! Thank you very much! Perfect and very fast support!

(22 Aug ‘15, 08:22) enno