参考:https://ervikrant06.wordpress.com/2015/01/18/how-to-change-timezone-while-analyzing-pcap-file/
原文:
原文:
[root@Node2 ~]# capinfos -ae /tmp/test.pcap
File name: /tmp/test.pcap
Start time: Tue Jan 13 17:46:54 2015
End time: Tue Jan 13 17:46:55 2015
File name: /tmp/test.pcap
Start time: Tue Jan 13 17:46:54 2015
End time: Tue Jan 13 17:46:55 2015
I modified the timings with help of editcap. Here value given in -37800 is in the seconds. I have added – sign because we want to decrease the time. If you are analyzing the same file on EST and you have captured the logs from IST you need to use 37800 alone with – sign.
10.5 hours difference between IST and EST in seconds will become 37800.
[root@Node2 ~]# editcap -t -37800 /tmp/test.pcap /tmp/test.EST.pcap
pdh1: 0x7ff641581af0
pdh1: 0x7ff641581af0
If I check the timing on new file which we created in previous step. It shows us the exact timing of the source EST server 
[root@Node2 ~]# capinfos -ae /tmp/test.EST.pcap
File name: /tmp/test.EST.pcap
Start time: Tue Jan 13 07:16:54 2015
End time: Tue Jan 13 07:16:55 2015
File name: /tmp/test.EST.pcap
Start time: Tue Jan 13 07:16:54 2015
End time: Tue Jan 13 07:16:55 2015
[popexizhi:
自己的测试结果
原始包:
2018-02-11 18:45:22.907790 IP 192.168.100.148.137 > 192.168.100.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
editcap -t -1 dga.pcap dga.pcap_1
2018-02-11 18:45:21.907790 IP 192.168.100.148.137 > 192.168.100.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
editcap -t +1 dga.pcap dga.pcap_1_
2018-02-11 18:45:23.907790 IP 192.168.100.148.137 > 192.168.100.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
]
没有评论:
发表评论