I believe this started since daylight savings time, but I could be wrong. The timestamps of tcpdump and Snort are an hour a head of Argus and Tshark timestamps. My question which one is correct, and how can I sync them?
$ tcpdump -nn -r tcpdump.pcap 'tcp[13] = 2 && port 22 && port 34288'
165914.969056 IP 111.222.333.444.34288 > 192.168.0.10.22 Flags, seq 1362408883, win 5840, options [mss 1460,sackOK,TS val 3261132 ecr 0,nop,wscale 6], length 0$ ra -nnr argus.cluster - 'tcp && port 22 && port 34288'
155914.969056 e d 6 111.222.333.444.34288 -> 192.168.0.10.22 8 561 RST
$ tshark -nnr honeypot.pcap -ta 'tcp.flags == 2 && tcp.port == 22 && tcp.port == 34288'
849 155914.969056 111.222.333.444 -> 192.168.0.10 TCP 34288 > 22 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=3261132 TSER=0 WS=6
$ uname -a
Linux SIFT-Workstation 2.6.31-20-generic #58-Ubuntu SMP Fri Mar 12 052309 UTC 2010 i686 GNU/Linux
tcpdump version 4.0.0
libpcap version 1.0.0
Snort Version 2.8.4.1 (Build 38)
Argus Version 3.0.2
TShark 1.2.2
/etc/timzone includes the details of the current server timezone configured.
By default, all output lines are preceded by a timestamp. The timestamp is the current clock time in the form
hhmmss.frac
and is as accurate as the kernel's clock. The timestamp reflects the time the kernel first saw the packet. No attempt is made to account for the time lag between when the Ethernet interface removed the packet from the wire and when the kernel serviced the `new packet' interrupt.
Don't know how much this helps … If in doubt - test.
-)
Yup, the timezone appears to be correct. I don't understand how I can run a few programs on the same computer with the same timezone and they look at the same times from the same pcap file and some programs show a time an hour after others. This is mind bottling.