"frames" method in sharkd does not consider time references and displays incorrect delta time
Summary
It seems that some changes in sharkd last year broke timereferences and delta time displayed when calling the frame method.
I tracked it down to this commit c4731738
When sharkd_dissect_columns was replaced by sharkd_dissect_request. The parameters ref_frame and prev_dis_num were replaced by (framenum != 1) ? 1 : 0 and framenum - 1.
Later people noticed that the mentioned variables were not used anymore and removed the dead code in commit c7ed8aa3
It turns out that these variables and the removed dead code were necessary to support time references and things like delta time (displayed)
Steps to reproduce
Testing time references against version 3.6.1.
{"jsonrpc": "2.0", "id": 1, "method":"load", "params" : {"file":"/pcaps/fast-open.pcapng"}}
load: filename=/pcaps/fast-open.pcapng
{"jsonrpc":"2.0","id":1,"result":{"status":"OK"}}
{"jsonrpc": "2.0", "id": 1, "method":"frames","params":{"column0":"frame.number:1","column1":"frame.time_relative:1","column10":"ip.dst:1","column11":"tcp.srcport:1","column12":"tcp.dstport:1","column13":"udp.srcport:1","column14":"udp.dstport:1","column2":"9","column3":"39","column4":"14","column5":"frame.len:1","column6":"28","column7":"tcp.stream:1","column8":"udp.stream:1","column9":"ip.src:1","filter":"ip.src == 17.252.75.246","limit":1000,"refs":"2"}}
{"jsonrpc":"2.0","id":1,"result":[{"c":["2","0.027980000","0.027980","17.252.75.246","192.168.251.18","74","443 → 57052 [SYN, ACK] Seq=0 Ack=518 Win=28960 Len=0 MSS=1363 WS=512 SACK_PERM=1 TSval=2399407262 TSecr=799002851","0","","17.252.75.246","192.168.251.18","443","57052","",""],"num":2},{"c":["4","0.028449000","0.000372","17.252.75.246","192.168.251.18","185","Server Hello, Change Cipher Spec, Encrypted Handshake Message","0","","17.252.75.246","192.168.251.18","443","57052","",""],"num":4}....]}What is the current bug behavior?
In this version the frame 2 does not have a REF and the delta time is not 0 as it should be for the first displayed frame.
What is the expected correct behavior?
Testing time references against (a slightly modified) version 3.4.3. Note the REF and 0.000000000 in the response. "column2":"9" is the field frame.time_delta_displayed. In this version the REFs and delta times are calculated correctly
{"req" : "load", "file" : "/pcaps/fast-open.pcapng"}
{"err":0}
{"req": "frames", "column0":"frame.number:1","column1":"frame.time_relative:1","column10":"ip.dst:1","column11":"tcp.srcport:1","column12":"tcp.dstport:1","column13":"udp.srcport:1","column14":"udp.dstport:1","column2":"9","column3":"39","column4":"14","column5":"frame.len:1","column6":"28","column7":"tcp.stream:1","column8":"udp.stream:1","column9":"ip.src:1","filter":"ip.src == 17.252.75.246","limit":1000,"refs":"2"}
{"packets":[{"c":[2,0.000000000,"REF","17.252.75.246","192.168.251.18",74,"443 → 57052 [SYN, ACK] Seq=0 Ack=518 Win=28960 Len=0 MSS=1363 WS=512 SACK_PERM=1 TSval=2399407262 TSecr=799002851",0,"","17.252.75.246","192.168.251.18",443,57052,"",""],"num":2},{"c":[4,0.000469000,0.000469,"17.252.75.246","192.168.251.18",185,"Server Hello, Change Cipher Spec, Encrypted Handshake Message",0,"","17.252.75.246","192.168.251.18",443,57052,"",""],"num":4}....],"frames_displayed":12,"bytes_displayed":2459,"frames_matching":12,"bytes_matching":2459,"frames_total":24,"limit":1000}Build information
3.6.1Fix
To get an idea how to fix it have a look here:
However note that version does not only fix the issue but also introduces some customizations that are not API compatible with the official response format of the frames method (putting frames in a seperate array and introducing fields to count matching packets, bytes and so on.).