On Sun, 23 Feb 2003, Robert McConnell wrote: > I am looking at converting the NetProbe trace files into the raw tcpdump > format so that I can import them into Ethereal. Looking at the files > themselves, they contain a binary copy of each packet with a 20 byte header > containing the packet length, snapshot length and an MS-DOS time stamp > (milliseconds since 1/1/80). So I think the conversion will be rather > simple to do in either Perl or C. > > Has anyone built this wheel? Or does anyone have a snippet of code that > will convert MS-DOS time stamps into Unix time? This is the one piece I > don't have worked out.
Instead of writing a NetProbe to tcpdump converter, would it be possible to add support to the Wiretap library? That way, Ethereal could read the files natively and they could be converted to the many formats that Ethereal, Tethereal and editcap can write. More information can be found in wiretap/README in the source distribution. According to 'date -ud "1/1/1980" +%s' there are 315532800 seconds between the Unix and DOS epochs. The tcpdump/libpcap file format saves its timestamps as Unix seconds and microseconds. Couldn't you do something like unix_sec = (dos_msec / 1000) + 315532800; unix_usec = (dos_msec % 1000) * 1000; to get the values you need?
