Here is some sample flow-header output:
#
# mode: normal
# capture hostname: flowneighs.example.com
# capture start: Wed May 17 18:30:00 2006
# capture end: Wed May 17 18:45:00 2006
# capture period: 900 seconds
# compress: on
# byte order: little
# stream version: 3
# export version: 5
# lost flows: 0
# corrupt packets: 0
# sequencer resets: 0
# capture flows: 405000
I wrote some programs that read this output and parse the timestamp.
Catch is, I forgot about the switch to and from daylight time.
If I'd used the flow-capture generated filename for the timestamp, that
would have worked, since that includes a GMT offset, but when I put together
my scripts I foolishly assumed the flow-header output would be more reliable.
The problem is in src/lib/ftio.c:
1641 if (!streaming2)
1642 if (fields & FT_FIELD_CAP_START)
1643 fprintf(std, "%c capture start: %s", cc,
1644 ctime((time_t*)&fth->cap_start));
1645
1646 if (!streaming2) {
1647
1648 if ((flags & FT_HEADER_FLAG_DONE) || (flags &
FT_HEADER_FLAG_PRELOAD
ED)) {
1649
1650 if (fields & FT_FIELD_CAP_END)
1651 fprintf(std, "%c capture end: %s", cc,
1652 ctime((time_t*)&fth->cap_end));
since ctime doesn't include any time zone specification. One possible
fix is to use strftime() to format the timestamp, so the timezone can
be included.
_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools
