![]() This Hex time stamp can now be used to search the Pcap file opened up in a hex editor to find the exact packet that the timestamp was pulled from in Wireshark. ![]() Next we reverse this Hex value, 00 07 BA A5 to get this A5 BA 07 00, this is the sub second part of the time stamp or Milliseconds in our case.įinally we end up with a Hex timestamp of 6A308356 A5BA0700. The next step is to left pad this 7BAA5 with zeros to this 0007BAA5, we want it to be 4 bytes. See this in the reference for more Information. If we do not drop those 3 zeros then it converts to 1E311488 which is an incorrect conversion for our time precision used while capturing the packets. Next we take the last half 506533000 we cut the length down to 6, 506533 dropping the last 3 “0” zeros then we convert the remaining Decimal value to Hex like this 7BAA5 Next we reverse the “Bytes” of 56 83 30 6A to 6A 30 83 56, this part contains the time for seconds, days, month and year. Next we take the first part, before the decimal point, 1451438186 and convert it to Hex like this 56 83 30 6A To convert this we first split it at the decimal point. This value is in seconds since Janu00:00:00 GMTĪ normal timestamp in Wireshark will be like this Lets start with the actual conversion process. In this post I will attempt to explain the conversion process and show a couple of problems that you may be faced with while converting. In my last post I talked about getting a unique list of User-Agent strings and as a bonus I discovered that you can travel back and forth from Wireshark to a hex editor and back using the time stamps.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |