Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 14 Sep 2023 15:21:56 -0400
From:      mike tancsa <mike@sentex.net>
To:        FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org>
Subject:   Re: tcpdump and timezone mismatch (STABLE 14 vs STABLE 13)
Message-ID:  <da051593-64aa-40bb-9b73-c619741aa873@sentex.net>
In-Reply-To: <b45dcba7-4ec1-4bea-8eeb-f5be01e29b5b@sentex.net>
References:  <b45dcba7-4ec1-4bea-8eeb-f5be01e29b5b@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 9/14/2023 12:24 PM, mike tancsa wrote:
> Just starting to play around with RELENG_14 and noticed one odd thing 
> I didnt see in the UPDATING notes.  The server's Timezone is set to 
> EDT (GMT-4), but tcpdumping the pflogs show it in UTC.
>
> # date
> Thu Sep 14 12:22:11 EDT 2023
> # tcpdump -ner /var/log/pflog | tail -1
> reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog 
> file), snapshot length 200
> 16:21:18.848111 rule 0/0(match): block in on vtnet0: 
> 185.11.61.68.52750 > xxx.yyy.zzz.141.33428: Flags [S], seq 4237808372, 
> win 1024, length 0
>
> #
>
> Same with dumping pflog0 in real time
>
> # tcpdump -nei pflog0 action block
> tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
> listening on pflog0, link-type PFLOG (OpenBSD pflog file), snapshot 
> length 262144 bytes
>
> 16:22:59.205362 rule 0/0(match): block in on vtnet0: 
> 198.12.88.139.58870 > xxx.yyy.zzz.141.4963: Flags [S], seq 3991681664, 
> win 1024, length 0
>
> Is there a way to change this behavior ? Is it expected ?
>

I tried tcpdump from ports and the same thing. If I set my server's 
timezone to UTC, the tcpdump at least matches the server's timezone.  If 
I copy the pcap file to a releng13 box that has localtime set to EDT, 
tcpdump on it shows the correct time. Its almost as if tcpdump does not 
see /etc/localtime ? Perms look right

root@nano14:~ # ls -l /etc/localtime
-r--r--r--  1 root wheel 3494 Aug 26 08:11 /etc/localtime
root@nano14:~ #

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?da051593-64aa-40bb-9b73-c619741aa873>