"alex medvedev" <[EMAIL PROTECTED]> said: > suppose i create a tcpdump at 9 am in moscow, russia (+3hrs east from > GMT); > then i read it on a machine in dallas, tx (-6hrs west from GMT). > > what time stamps should i see on packets? > 9am or 6pm?
Normally if you don't use any time-options in tcpdump, you'll see 9am. Since AFAIK libpcap stores the timestamp unchanged in whatever timezone the OS passes the frame to libpcap. If you use the '-tttt' option, tcpdump will treat the timestamps in capture file as UTC (your $TZ) and print them as such: reading from file f:\WATTCP.DBG, link-type EN10MB (Ethernet) 2003-12-18 15:44:40.014914 arp who-has 10.0.0.1 tell 10.0.0.7 2003-12-18 15:44:40.108415 arp reply 10.0.0.1 is-at 00:00:c5:92:36:c4 2003-12-18 15:44:40.108839 IP 10.0.0.7 > 10.0.0.1: icmp 12: echo request seq 0 2003-12-18 15:44:40.230878 IP 10.0.0.1 > 10.0.0.7: icmp 12: echo reply seq 0 The above snippet was created yesterday at 16:44 GMT and read today. --gv - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]
