On Dec 19, 2003, at 1:02 AM, Gisle Vanem wrote:
"alex medvedev" <[EMAIL PROTECTED]> said:
suppose i create a tcpdump at 9 am in moscow, russia (+3hrs east from GMT); then i read it on a machine in dallas, tx (-6hrs west from GMT).
what time stamps should i see on packets? 9am or 6pm?
Normally if you don't use any time-options in tcpdump, you'll see 9am. Since AFAIK libpcap stores the timestamp unchanged in whatever timezone the OS passes the frame to libpcap.
They're stored in standard UNIX "struct timeval" format, with seconds since January 1, 1970, 00:00:00 GMT, and microseconds, so they're stored in a close approximation of UTC.
As such, I'd expect the time stamps to display as 6PM if read in Dallas (unless you change the time zone setting for the process reading them, e.g. "TZ=Europe/Moscow tcpdump -r {filename}" with a Bourne-compatible shell on many UNIXes).
- This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]
