[pcap-ng-format] Issue #24: Need to specify the IDB if_tzone option format
Hadriel Kaplan
the.real.hadriel at gmail.com
Wed Aug 26 02:44:35 UTC 2015
On Tue, Aug 25, 2015 at 10:29 PM, Guy Harris <guy at alum.mit.edu> wrote:
>
> On Aug 25, 2015, at 7:18 PM, Hadriel Kaplan <the.real.hadriel at gmail.com> wrote:
>
>> Why would it matter, if we specified the if_tzone was always in
>> standard time? +8 hours = PST, no matter whether DST is in effect or
>> not. The pcapng reading application can figure out if, for the given
>> time in the timestamps and your standard timezone, DST is in effect or
>> not for your timezone, can't it?
>
> Yes, but if it's displaying the time stamps as local time for the zone in which they're collected, and that's *not* the zone in which you're running Wireshark, then knowing whether DST is in effect or not for *your* timezone is irrelevant - what's relevant is whether it's in effect *in the time zone in which the capture was done*.
Sorry, I meant "your" as in the +8 hour one, not the one of the local
application. I.e., I live in the East coast of the US (EDT currently,
but that doesn't matter). You send me your capture file. Wireshark
opens it, sees a +8, which it knows means PST because we say that's
what the option means. I'm assuming that it can figure out that if a
packet in the capture was captured at 9pm yesterday in UTC, that it
could display that to me as 9pm UTC, or 5pm EDT, or 2pm PDT - not
because *I* am in DST, but rather because PST at 9pm UTC was in DST.
(I have absolutely no idea if that's easy/hard/nearly-impossible, btw)
-hadriel
More information about the pcap-ng-format
mailing list