Time

Time is represented differently in every parser. If you want Network Monitor to be able to do a filter on your time field in a generic fashion, you must convert the field to the Win32 SystemTime value and do an AttachPropertyInstanceEx on it. For example, in the SMB parser case:

//////////////////////////////////////////////////////////////////
//
// attach_time2 - Attach a property whose data is an embedded 
//      date/time dword.  Convert the date/time into a SYSTEMTIME 
//      struct and call AttachPropertyInstanceEx().
//
// changed to use bitfields to fix bug
//////////////////////////////////////////////////////////////////

typedef struct _TIMECONVHIWORD {
   unsigned int Day  : 5;
   unsigned int Month  : 4;
   unsigned int Year  : 7;
   } TIMECONVHIWORD;

typedef struct _TIMECONVLOWORD {
   unsigned int Second  : 5;
   unsigned int Minute  : 6;
   unsigned int Hour   : 5;
   } TIMECONVLOWORD;

void attach_time2(HFRAME fhandle, 
      WORD prop, 
      DWORD * time, 
      WORD cmd)
{
   SYSTEMTIME systime;
   TIMECONVLOWORD * lpLo = (LPVOID ) time;
            // get second one
   TIMECONVHIWORD * lpHi = (LPVOID ) &((WORD *)time)[1]; 

    systime.wYear    = lpHi->Year + 1980;
    systime.wMonth   = lpHi->Month;
    systime.wDay     = lpHi->Day;
    systime.wHour    = lpLo->Hour;
    systime.wMinute  = lpLo->Minute;
    systime.wSecond  = lpLo->Second * 2;

    systime.wDayOfWeek = 0;
    systime.wMilliseconds = 0;

    AttachPropertyInstanceEx(fhandle,
              property_table[prop].hProperty,
              sizeof(DWORD),
              time,
              sizeof(SYSTEMTIME),
              &systime,
              cmd,
              PL_COMMAND,
              0);
}