Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wrong timestamp in Packet Capture Output?

    Scheduled Pinned Locked Moved General pfSense Questions
    17 Posts 4 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S
      stephenw10 Netgate Administrator
      last edited by

      If you are managing firewalls in different timezones and trying to compare pcaps it's usually better to have everything in UTC. Personally I've always expected it to be in UTC so it never worried me.

      Sergei_ShablovskyS 1 Reply Last reply Reply Quote 2
      • Sergei_ShablovskyS
        Sergei_Shablovsky @stephenw10
        last edited by Sergei_Shablovsky

        @stephenw10 said in Wrong timestamp in Packet Capture Output:

        If you are managing firewalls in different timezones and trying to compare pcaps it's usually better to have everything in UTC. Personally I've always expected it to be in UTC so it never worried me.

        Hm… I am confused a little bit: I need LOGS and PCAPS data in one format (because log analyzers like Splunk, and monitoring like Prometheus need correct timestamp for alerting) why calculate all this in my head?

        Please explain Your reply a little bit more:)

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          If you have pcaps from firewalls all over the world you need them all in one time format if you want to compare them. UTC is chosen by tcpdump for that reason.

          johnpozJ Sergei_ShablovskyS 3 Replies Last reply Reply Quote 3
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @stephenw10
            last edited by johnpoz

            Yeah most everyone knows this right.. For example if I take a pcap on pfsense, it shows the time in utc.. But if I open that up in say wireshark.. And I have it show time.. It would show me the time based on my machine I am running wireshark on TZ..

            Why your not seeing lots of threads asking about this - is I would of thought everyone knew this ;) hehehe Well anyone that works with pcaps normally.

            utc.jpg

            When your working with devices all over the world, or even just a large enough country (with multiple zones).. Having stuff like this in common tz is the way to go.. if someone sent me a pcap, I would assume its in utc..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            Sergei_ShablovskyS 2 Replies Last reply Reply Quote 4
            • Sergei_ShablovskyS
              Sergei_Shablovsky @stephenw10
              last edited by

              This post is deleted!
              1 Reply Last reply Reply Quote 0
              • Sergei_ShablovskyS
                Sergei_Shablovsky @johnpoz
                last edited by

                This post is deleted!
                1 Reply Last reply Reply Quote 0
                • Sergei_ShablovskyS
                  Sergei_Shablovsky @stephenw10
                  last edited by Sergei_Shablovsky

                  @stephenw10 said in [CLOSED] Wrong timestamp in Packet Capture Output?:

                  If you have pcaps from firewalls all over the world you need them all in one time format if you want to compare them. UTC is chosen by tcpdump for that reason.

                  From my point of view we all go off-topic: instead of having ALL logs in System in one format we start discussing why we have different format for each set of logs.

                  This is common sense, and logically right: HAVING ALL LOGS INSIDE OF SYSTEM IN ONE FORMAT.

                  This not only means less parsing in 3-rd tools (whatever Splunk, Prometheus, etc…), but less time spend by SysAdmins to solving problems.

                  WHY I need to have
                  in most of all logs (syslog format, RFC 5424 + RFC 3339)
                  2024-01-30 14:54:11.177673+02:00
                  in OS Account Changes
                  2024-01-28 15:43:2
                  in Packet Capture
                  13:01:06.991876

                  ????

                  1 Reply Last reply Reply Quote 0
                  • Sergei_ShablovskyS
                    Sergei_Shablovsky @johnpoz
                    last edited by Sergei_Shablovsky

                    @johnpoz said in [CLOSED] Wrong timestamp in Packet Capture Output?:

                    Yeah most everyone knows this right.. For example if I take a pcap on pfsense, it shows the time in utc.. But if I open that up in say wireshark.. And I have it show time.. It would show me the time based on my machine I am running wireshark on TZ..

                    From developers point of view:
                    If You decide to show pcap results inside the WebGUI of pfSense - than logically right to show in the same format as the all other logs!
                    If You decide to just making pcap file for future import to WireShark, - logically right just making the .pcap file and dynamically making the link to download / copy to buffer it

                    Why your not seeing lots of threads asking about this - is I would of thought everyone knew this ;) hehehe Well anyone that works with pcaps normally.

                    utc.jpg

                    When your working with devices all over the world, or even just a large enough country (with multiple zones).. Having stuff like this in common tz is the way to go.. if someone sent me a pcap, I would assume its in utc..

                    Thank You for detailed explanation: I clearly understanding Your point of view.

                    But WHY I need to see ON-SCREEN pcap in other format than whole system ???

                    If I using WireShark no matter what are on screen, I just import file by ssh or copy from screen whole pcap. And than switching back and forth between WireShark and pfSense on-screen logs.

                    But here I asking about WHY I need to have
                    in most of all logs (syslog format, RFC 5424 + RFC 3339)
                    2024-01-30 14:54:11.177673+02:00
                    in OS Account Changes
                    2024-01-28 15:43:2
                    in Packet Capture
                    13:01:06.991876

                    ????

                    If work with logs on screen, everyone need to see standardized data to be able understanding when something happened and how this “happened” impact on other processes.

                    Why I need to look at 3-4 different formats?
                    Because someone in pfSense dev group (with all my honors!) have too much work to change 2 strings in code? (That not something difficult, just change the format of output).

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      This should be a feature request. The ability to use local timestamps seems like a useful addition. It's not a bug though.

                      Sergei_ShablovskyS 1 Reply Last reply Reply Quote 1
                      • Sergei_ShablovskyS
                        Sergei_Shablovsky @stephenw10
                        last edited by Sergei_Shablovsky

                        @stephenw10 said in Wrong timestamp in Packet Capture Output?:

                        This should be a feature request. The ability to use local timestamps seems like a useful addition.

                        Totally agree!
                        Already created yesterday.

                        It's not a bug though.
                        Of course, just developers have not polished this many years ago.

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.