On Dec 2, 2003, at 7:54 AM, Martijn Schipper wrote:
Ok, so I started to make a file decoder for AiroPeek version 9 files. Find attached the diff file (against 0.9.16) and the new decoder.
Checked in, with some cleanups.
It seems that only AiroPeek moved to this new file format, so that is why I called it airopeek9. (I downloaded the latest demo version of Etherpeek and the samples that came with this version are still version 7 files). Does anyone know if EtherPeek also uses V9 files?
What about EtherPeek NX? (The new file format's MediaType value matches what appears in AiroPeek captures, so perhaps it's currently only used for AiroPeek - maybe they wanted to add a bunch of additional information, and decided to go with a new format.)
There is still one problem with this version: the time stamp is NOT correct. It is still about 31 years in the future. The time difference between packets is OK. Has anybody a suggestion what could be the magic with the time stamps in these files?
Perhaps the time stamps in V9 files aren't relative to the Mac OS OT (the non-UNIX Mac OS) time origin, given that it's a new file format and that it's not a Mac application? (Sigh. Too bad the IOKit doesn't think 802.11 is different from 802.3....)
There are RawTime and Time values in the session header; the RawTime value appears either to be a UNIX time_t (seconds since January 1, 1970, 00:00:00 GMT) or a time_t with the time zone bias (also in the session header) factored in, if the Time value is to be believed. Perhaps the packet time stamps are relative to that time, which might be the starting time of the capture.
_______________________________________________ Ethereal-dev mailing list [EMAIL PROTECTED] http://www.ethereal.com/mailman/listinfo/ethereal-dev
