Posted by:dragorn
Subject:Extracting absolute time from kismet dumps
Date:17:59:57 09/04/2009

> yep wireshark is showing both absolute as well as delta from the beginning of the file but that time information is not stored in the header portion 'cause clicking on absolute time in wireshark doesnt highlight the corresponding byte in the byte stream of each frame.
> And using pcap_offline() I get access to hex byte stream of each frame, from which I interpret various info.
> And could you please shed some more light about which particular pcap struct stores time information & how to access that struct ?

Wireshark doesn't show the pcap header on packets, only the data, so it wouldn't show the bytes, correct. Doesn't mean they aren't there.

Looking at pcap.h shows pcap_file_header contains 'thiszone' which shows the offset from GMT to this time zone, and that pcap_pkthdr contains a struct timeval ts in addition to the caplen and len fields.


