Your code's logic, and your statement about "
13FCC7343B5EA000" not giving you the result you expect, makes me think you expect the absolute_time to be a number - the number of nanoseconds since the Unix epoch (January 1, 1970, midnight UTC). It isn't. It's two numbers: the number of seconds, and the number of nanoseconds portion of a second. When decoded from a
Tvb, wireshark expects the first 4 bytes of the given
TvbRange to be the seconds, and the second 4 bytes to be the nanoseconds portion.
Thus a manufactured
Tvb of the hex string "13FCC7343B5EA000" is 0x13FCC734 seconds, and 0x3B5EA000 nanoseconds. 0x13FCC734 seconds is 335333172 in decimal, and in Epoch time is Aug 17, 1980. What you probably expected was that the whole hex string became a single number (decimal of 1440245008000000000) representing the number of nanoseconds since the Epoch, which would be Aug 22, 2015.
If your packet's
Tvb buffer contains just a single big number, for the number of microseconds since the Epoch, then you can convert it like so:
-- returns a UInt64 object of the microseconds in the Tvb buffer
local usecs = buffer(0,8):le_uint64()
-- gets the seconds as a Lua number
local secs = (usecs / 1000000):tonumber()
-- gets the remainder as a Lua number, in nanoseconds
local nsecs = (usecs % 1000000):tonumber() * 1000
– create a NSTime object using the above
local nstime = NSTime.new(secs, nsecs)
– add it to the tree, highlighting the real buffer's bytes, but with the real NSTime value
subtree:add(pl_timestamp, buffer(0,8), nstime)
Note: I haven’t tested the above, but it should (hopefully) work.
answered 22 Aug ‘15, 07:37
accept rate: 18%