[Ntop] PF_RING tcpdump, incorrect timestamps
Alexander Dupuy
alex.dupuy at mac.com
Thu Mar 15 02:31:59 CET 2012
On Mar 14, 2012, at 10:04, Jon Schipp wrote:
> Thanks for the reply Alex.
>
> The TZ variable on my system has not been set.
>
> It makes sense that it is displaying the UTC time, I overlooked that
> idea. I changed the TZ variable to a few different timezones and the
> original tcpdump program compiled from source from tcpdump.org changes
> appropriately as each new value of TZ is set. However, the PF_RING
> version of tcpdump does not seem to respect the TZ variable. I
> downloaded the source and compiled the source in the userland
> directory from the latest PF_RING tarball. As to why that is I'm not
> sure.
>
> If I write to disk (-w) and read with analysis tools other than the
> pf_ring modified tcpdump, the tools report the EST format of the time,
> which is the way I like it...easier to read.
>
> I set the TZ variable to "EST+4" and then recompiled tcpdump source
> from the PF_RING release, just to see if anything changed.
> It's still the same. When you mentioned TZ I thought "Voila" but the
> modified tcpdump does not seem to pay attention to TZ like the
> original does.
>
> Am I missing something? Any other pointers?
Without looking at the PF_RING modified tcpdump sources in some detail, I can't say, but perhaps there was a localtime() call changed to gmtime() somewhere.
@alex
--
mailto:alex.dupuy at mac.com
More information about the Ntop
mailing list