我正在编写Wireshark解剖器(C语言,而不是Lua)。
我有uint64的时间字段,表示自unix纪元以来的纳秒。
我想以一种易于理解的格式在Wireshark中打印时间。
我四处寻找文档以说明如何执行此操作,却只在https://anonsvn.wireshark.org/wireshark/trunk-1.6/doc/README.developer上找到了与时间相关的功能proto_tree_add_time。
我最终编写了这样的辅助函数:
static void add_pretty_time(tvbuff_t* tvb, proto_tree* body, unsigned field_offset, int field_id)
{
uint64_t raw_time = tvb_get_letoh64(tvb, field_offset);
nstime_t time;
time.secs = raw_time / 1000000000;
time.nsecs = raw_time % 1000000000;
proto_tree_add_time(body, field_id, tvb, field_offset, 8, &time);
}
Wireshark是否提供其他更优雅的方式来做到这一点?例如,hf_register_info数组中的FT_UINT64,BASE_DEC可以指定此字段应解析为uint64并以十进制格式显示。如果在hf_register_info数组中有FT_EPOCH64,ISO_FORMAT之类的东西,那将是理想的选择。
答案 0 :(得分:0)
对于FT_ABSOLUTE_TIME字段,编码指定以下形式: 指定了时间戳及其字节顺序。时间戳记 当前支持的编码位于:https://github.com/wireshark/wireshark/blob/master/doc/README.dissector#L1648
ENC_TIME_SECS_NSECS - 8, 12, or 16 bytes. For 8 bytes, the first 4
bytes are seconds and the next 4 bytes are nanoseconds; for 12
bytes, the first 8 bytes are seconds and the next 4 bytes are
nanoseconds; for 16 bytes, the first 8 bytes are seconds and
the next 8 bytes are nanoseconds. The seconds are seconds
since the UN*X epoch (1970-01-01 00:00:00 UTC). (I.e., a UN*X
struct timespec with a 4-byte or 8-byte time_t or a structure
with an 8-byte time_t and an 8-byte nanoseconds field.)
ENC_TIME_NTP - 8 bytes; the first 4 bytes are seconds since the NTP
epoch (1900-01-01 00:00:00 GMT) and the next 4 bytes are 1/2^32's of
a second since that second. (I.e., a 64-bit count of 1/2^32's of a
second since the NTP epoch, with the upper 32 bits first and the
lower 32 bits second, even when little-endian.)
ENC_TIME_TOD - 8 bytes, as a count of microseconds since the System/3x0
and z/Architecture epoch (1900-01-01 00:00:00 GMT).
ENC_TIME_RTPS - 8 bytes; the first 4 bytes are seconds since the UN*X
epoch and the next 4 bytes are are 1/2^32's of a second since that
second. (I.e., it's the offspring of a mating between UN*X time and
NTP time.) It's used by the Object Management Group's Real-Time
Publish-Subscribe Wire Protocol for the Data Distribution Service.
ENC_TIME_SECS_USECS - 8 bytes; the first 4 bytes are seconds since the
UN*X epoch and the next 4 bytes are microseconds since that
second. (I.e., a UN*X struct timeval with a 4-byte time_t.)
ENC_TIME_SECS - 4 to 8 bytes, representing a value in seconds since
the UN*X epoch.
ENC_TIME_MSECS - 6 to 8 bytes, representing a value in milliseconds
since the UN*X epoch.
ENC_TIME_SECS_NTP - 4 bytes, representing a count of seconds since
the NTP epoch. (I.e., seconds since the NTP epoch.)
ENC_TIME_RFC_3971 - 8 bytes, representing a count of 1/64ths of a
second since the UN*X epoch; see section 5.3.1 "Timestamp Option"
in RFC 3971.
ENC_TIME_MSEC_NTP - 4-8 bytes, representing a count of milliseconds since
the NTP epoch. (I.e., milliseconds since the NTP epoch.)
它们都不对应于历时uint64纳秒。
问题中编写的add_pretty_time助手是正确的方法,因为在内置编码的帮助下,我们被迫使用proto_tree_add_time而不是标准的proto_tree_add_item。 / p>
这仍然需要hf_register_info数组具有正确的值:即我们必须使用基于时间的字段类型和基于时间的显示格式。前者的示例:FT_ABSOLUTE_TIME。后者的示例:ABSOLUTE_TIME_UTC。在何处找到每个列表:分别为https://github.com/boundary/wireshark/blob/master/epan/proto.c#L4742和https://github.com/wireshark/wireshark/blob/master/doc/README.dissector#L147。