How to change timezone while analyzing pcap file ?

In this article I am going to show you, how we can convert the time zone entries into pcap file.

I have taken two servers running in different time zone.

1) I have ran the tcpdump on the server which is in EST timing. I want to analyze this on server with IST timings.

[root@Linux65-1 ~]# date
Tue Jan 13 07:18:23 EST 2015

[root@Linux65-1 ~]# tcpdump -i eth0 host 192.168.111.121 -w /tmp/test.pcap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C8 packets captured
9 packets received by filter
0 packets dropped by kernel

If I checked the internal of first and last captured packet.

[root@Linux65-1 ~]# capinfos -ae /tmp/test.pcap
File name:           /tmp/test.pcap
Start time:          Tue Jan 13 07:16:54 2015
End time:            Tue Jan 13 07:16:55 2015

2) I have copied the test.pcap file on another server which is running in IST.

[root@Node2 ~]# date
Tue Jan 13 17:46:46 IST 2015

I can see that packet capture timings have been changed as per IST which is not desirable.

[root@Node2 ~]# capinfos -ae /tmp/test.pcap
File name:           /tmp/test.pcap
Start time:          Tue Jan 13 17:46:54 2015
End time:            Tue Jan 13 17:46:55 2015

I modified the timings with help of editcap. Here value given in -37800 is in the seconds. I have added – sign because we want to decrease the time. If you are analyzing the same file on EST and you have captured the logs from IST you need to use 37800 alone with – sign.

10.5 hours difference between IST and EST in seconds will become 37800.

[root@Node2 ~]# editcap -t -37800 /tmp/test.pcap /tmp/test.EST.pcap
pdh1: 0x7ff641581af0

If I check the timing on new file which we created in previous step. It shows us the exact timing of the source EST server 🙂

[root@Node2 ~]# capinfos -ae /tmp/test.EST.pcap
File name:           /tmp/test.EST.pcap
Start time:          Tue Jan 13 07:16:54 2015
End time:            Tue Jan 13 07:16:55 2015

Another method is to manually add the TZ option with every command which you are going to use for analysis.

[root@Node2 ~]# TZ=EST capinfos -ae /tmp/test.pcap
File name:           /tmp/test.pcap
Start time:          Tue Jan 13 07:16:54 2015
End time:            Tue Jan 13 07:16:55 2015

I prefer the first method instead of this.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s