Message-Id: <200109061229.f86CTQf15658@picard.cs.ohiou.edu> From: "Shawn Ostermann" <ostermann@cs.ohiou.edu> Subject: Re: Can tcptrace or any other program do this? Date: Thu, 06 Sep 2001 08:29:25 -0400
> Does anyone know if any program or tcptrace can change the "absolute
> time" that the entire capture is over (its stored in the actual capture
> file).
>
> Example: Lets say I have a capture file that begins on 9/4/01 at 5:00pm
> and I want to update it so it shows that the capture began at Noon on
> 9/4/01.
>
> (I'd like to do this because the system clock on a box I captured on
> was off and I would like all of the xplot graphs to show the correct
> time)
I don't know of anything, sorry. The only option that tcptrace has is
to scale the times to zero (see -z).
If this is something that you only intend to do once, here's what I'd
recommend (warning, ugliness below, cover the children's eyes):
1) Assuming that it's a tcpdump file (but the same trick works for the
others), modify the tcpdump.c file in a NEW copy of the tcptrace
sources:
a) Look for the line:
ptime->tv_sec = callback_phdr->ts.tv_sec;
b) Add the following line AFTER that one
ptime->tv_sec -= 5*60*60 (for exactly 5 hours)
c) recompile a NEW binary
2) test it and see if you like the times
3) Then, change the file as:
tcptrace.new -q -Onewfile.dmp oldfile.dmp
This should give you a newfile with the times the way you want with
about 5 minutes of effort.
Good luck!
--sdo
-------------------------------------------------------------------------
Dr. Shawn Ostermann - Associate Professor - Ohio University
322B Stocker Center, Ohio University, Athens, Ohio 45701-2979
ostermann@cs.ohiou.edu -- FAX: (740)593-0007 -- Voice: (740)593-1234
http://ace.cs.ohiou.edu/~osterman http://irg.cs.ohiou.edu
----------------------------------------------------------------------------
To unsubscribe, send a message with body containing "unsubscribe tcptrace" to
majordomo@tcptrace.org.
This archive was generated by hypermail 2b30 : 09/06/01 EDT