From d347b7284f09a5145f07e1620984ae8b06ab3357 Mon Sep 17 00:00:00 2001
From: Guy Harris <guy@alum.mit.edu>
Date: Thu, 16 Oct 2014 03:01:28 -0700
Subject: Don't try to compute time stamps for files from Packet Builder.

I don't trust Packet Builder's ability to convert time stamps between
Capsa format and pcap.

Change-Id: I0ac2e14216e37127d81d5bf1c6d48a2c20841a8e
Reviewed-on: https://code.wireshark.org/review/4721
Reviewed-by: Guy Harris <guy@alum.mit.edu>
---
 wiretap/capsa.c | 26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

(limited to 'wiretap/capsa.c')

diff --git a/wiretap/capsa.c b/wiretap/capsa.c
index ee404f8ba6..227df2113a 100644
--- a/wiretap/capsa.c
+++ b/wiretap/capsa.c
@@ -318,7 +318,9 @@ capsa_read_packet(wtap *wth, FILE_T fh, struct wtap_pkthdr *phdr,
 	guint32	packet_size;
 	guint32 orig_size;
 	guint32 header_size;
+#if 0
 	guint64 timestamp;
+#endif
 
 	/* Read record header. */
 	switch (capsa->format_indicator) {
@@ -338,7 +340,6 @@ capsa_read_packet(wtap *wth, FILE_T fh, struct wtap_pkthdr *phdr,
 		 */
 		timestamp -= G_GUINT64_CONSTANT(11644473600);
 #endif
-		phdr->presence_flags = WTAP_HAS_CAP_LEN;
 
 		/*
 		 * OK, the rest of this is variable-length.
@@ -360,17 +361,19 @@ capsa_read_packet(wtap *wth, FILE_T fh, struct wtap_pkthdr *phdr,
 		orig_size = GUINT16_FROM_LE(pbrec_hdr.orig_len);
 		packet_size = GUINT16_FROM_LE(pbrec_hdr.incl_len);
 		header_size = sizeof pbrec_hdr;
+#if 0
 		timestamp = (((guint64)GUINT32_FROM_LE(pbrec_hdr.timestamphi))<<32) + GUINT32_FROM_LE(pbrec_hdr.timestamplo);
 		/*
-		 * XXX - this seems to work for one pcap capture
-		 * converted to Capsa format by Packet Builder,
-		 * but it's a random magic number, so it might
-		 * not actually be the right value.
+		 * XXX - from the results of some conversions between
+		 * Capsa format and pcap by Colasoft Packet Builder,
+		 * I do not trust its conversion of time stamps (at
+		 * least one of Colasoft's sample files, when
+		 * converted to pcap format, has, as its time stamps,
+		 * time stamps on the day after the conversion was
+		 * done, which seems like more than just coincidence).
 		 */
 		timestamp -= G_GUINT64_CONSTANT(485946753291483);
-		phdr->presence_flags = WTAP_HAS_CAP_LEN|WTAP_HAS_TS;
-		phdr->ts.secs = (time_t)(timestamp / 1000000);
-		phdr->ts.nsecs = ((int)(timestamp % 1000000))*1000;
+#endif
 		break;
 
 	default:
@@ -426,6 +429,13 @@ capsa_read_packet(wtap *wth, FILE_T fh, struct wtap_pkthdr *phdr,
 	phdr->rec_type = REC_TYPE_PACKET;
 	phdr->caplen = packet_size;
 	phdr->len = orig_size;
+#if 0
+	phdr->presence_flags = WTAP_HAS_CAP_LEN|WTAP_HAS_TS;
+	phdr->ts.secs = (time_t)(timestamp / 1000000);
+	phdr->ts.nsecs = ((int)(timestamp % 1000000))*1000;
+#else
+	phdr->presence_flags = WTAP_HAS_CAP_LEN;
+#endif
 
 	/*
 	 * Read the packet data.
-- 
cgit v1.2.1