>Date: Fri, 1 Nov 2013 14:18:04 -0700 >From: Guy Harris <[email protected]> >To: Developer support list for Wireshark <[email protected]> >Subject: Re: [Wireshark-dev] adding IRIG time and time of day >Message-ID: <[email protected]> >Content-Type: text/plain; charset=iso-8859-1 > > >On Nov 1, 2013, at 1:39 PM, John Dill <[email protected]> wrote: > >> I just finished installing the latest version of wireshark 1.10.2 and was >> able to build it successfully for Windows 7 using the recommended procedure >> in the developer's guide. >> >> One of the things that I'd like to tweak is to add an IRIG time of day to >> the list of Time Display Formats. > >Note that View -> Time Display Format controls the way packet time stamps are >displayed, so the only formats that make sense are formats where you can >take >a count of seconds and nanoseconds since January 1, 1970, 00:00:00 UTC and >convert it to that format. Nothing else is implementable. > >If, however, the file contains IRIG time stamps *in addition to* the packet >time stamp read by Wireshark, it might be possible to have an IRIG time >stamp >column, separate from the "Time" column. >> >> The issue is that my packet stream is synchronized to an IRIG time code >> generator and would like to display the date in the following format. >> >> (day) hh:mm:ss.nnnnnnnnn >> >> The timestamp is populated with a time of day starting with day 1 as Jan 1 >> 12:00:00am and wraps around at either day 365 or 366 which corresponds to >> >Dec 31, 11:59:59pm. One slight issue is that the IRIG time does not >> capture the year, so some method will be needed to specify whether the date >> the >leap year. I could use a heuristic like the date from the file, or use >> Ctrl + Alt + 8 to cycle between leap year and non-leap year displays. >> >> The data is not collected from Wireshark directly, but from an external >> board that uses a modified pcap driver (cpcap) that I use to stream >> >collected packets to file. > >What is the file format? Where does it store the IRIG time stamps?
The file is NTAR (another name for pcap-ng?). The software stores the 64-bit IRIG timestamp in the Timestamp (High)/Timestamp (Low) field of a Packet Block. It's injected into the packet stream from a 10-nanosecond resolution clock on the capture board that is synchronized to an external IRIG-B timecode. It's used to synchronize the time of the packet stream with ARINC 429 and MIL-STD-1553 data streams, which are also IRIG-B time coded. IRIG-B is a time format that is simply a count of seconds since Jan 1 at midnight UTC, not from 1970. +---------------------------------------------------------------+ 0 | Block Type = 0x00000006 | +---------------------------------------------------------------+ 4 | Block Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 8 | Interface ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 12 | Timestamp (High) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ IRIG-B Timestamp 16 | Timestamp (Low) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 20 | Captured Len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 24 | Packet Len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 28 / / / Packet Data / / /* variable length, aligned to 32 bits */ / / / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / / / Options (variable) / / / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Block Total Length | +---------------------------------------------------------------+ Isn't the time column displayed based on the contents of Timestamp (High)/Timestamp (Low)? I figure that adding another display option should be feasible to handle this special case. Everything looks fine when I use the UTC time without the date, but with a date it's wrong as it displays a date in 1970. Best regards, John D.
<<winmail.dat>>
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
