Don't try to compute time stamps for files from Packet Builder.

I don't trust Packet Builder's ability to convert time stamps between Capsa format and pcap. Change-Id: I0ac2e14216e37127d81d5bf1c6d48a2c20841a8e Reviewed-on: https://code.wireshark.org/review/4721 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2014-10-16 03:01:28 -07:00 · 2014-10-16 03:01:28 -07:00 · d347b7284f
parent c74cefbfc9
commit d347b7284f
1 changed files with 18 additions and 8 deletions
--- a/wiretap/capsa.c
+++ b/wiretap/capsa.c
@ -318,7 +318,9 @@ capsa_read_packet(wtap *wth, FILE_T fh, struct wtap_pkthdr *phdr,
 	guint32	packet_size;
 	guint32 orig_size;
 	guint32 header_size;
+#if 0
 	guint64 timestamp;
+#endif

 	/* Read record header. */
 	switch (capsa->format_indicator) {
@ -338,7 +340,6 @@ capsa_read_packet(wtap *wth, FILE_T fh, struct wtap_pkthdr *phdr,
 		 */
 		timestamp -= G_GUINT64_CONSTANT(11644473600);
 #endif
-		phdr->presence_flags = WTAP_HAS_CAP_LEN;

 		/*
 		 * OK, the rest of this is variable-length.
@ -360,17 +361,19 @@ capsa_read_packet(wtap *wth, FILE_T fh, struct wtap_pkthdr *phdr,
 		orig_size = GUINT16_FROM_LE(pbrec_hdr.orig_len);
 		packet_size = GUINT16_FROM_LE(pbrec_hdr.incl_len);
 		header_size = sizeof pbrec_hdr;
+#if 0
 		timestamp = (((guint64)GUINT32_FROM_LE(pbrec_hdr.timestamphi))<<32) + GUINT32_FROM_LE(pbrec_hdr.timestamplo);
 		/*
-		 * XXX - this seems to work for one pcap capture
-		 * converted to Capsa format by Packet Builder,
-		 * but it's a random magic number, so it might
-		 * not actually be the right value.
+		 * XXX - from the results of some conversions between
+		 * Capsa format and pcap by Colasoft Packet Builder,
+		 * I do not trust its conversion of time stamps (at
+		 * least one of Colasoft's sample files, when
+		 * converted to pcap format, has, as its time stamps,
+		 * time stamps on the day after the conversion was
+		 * done, which seems like more than just coincidence).
 		 */
 		timestamp -= G_GUINT64_CONSTANT(485946753291483);
-		phdr->presence_flags = WTAP_HAS_CAP_LEN|WTAP_HAS_TS;
-		phdr->ts.secs = (time_t)(timestamp / 1000000);
-		phdr->ts.nsecs = ((int)(timestamp % 1000000))*1000;
+#endif
 		break;

 	default:
@ -426,6 +429,13 @@ capsa_read_packet(wtap *wth, FILE_T fh, struct wtap_pkthdr *phdr,
 	phdr->rec_type = REC_TYPE_PACKET;
 	phdr->caplen = packet_size;
 	phdr->len = orig_size;
+#if 0
+	phdr->presence_flags = WTAP_HAS_CAP_LEN|WTAP_HAS_TS;
+	phdr->ts.secs = (time_t)(timestamp / 1000000);
+	phdr->ts.nsecs = ((int)(timestamp % 1000000))*1000;
+#else
+	phdr->presence_flags = WTAP_HAS_CAP_LEN;
+#endif

 	/*
 	 * Read the packet data.