When running a capture, the timestamp for the packets captured by WireShark is not the same as the time on the local machine. As a matter of fact, if I run a capture on two machines talking to each other, both captures will have the wrong time, but they are different. Anyone seen this before? asked 03 Dec '10, 13:23 gazoo |
One Answer:
When capturing, Wireshark gets the timestamp data from WinPcap, which gets them from the underlying OS. When reading a capture file, the timestamps (obviously) come from that file's data. You can run into differences based on precision (Wireshark natively goes down to nanoseconds, but some capture utilities go no further than microseconds) and accuracy (how accurate were the OS clocks to start with?). You can also see cases where the type of adapter in use skews the timestamps; USB network adapters are notoriously imprecise in this respect. Remember that the timestamps are applied when the OS kernel processes the packet, so any latency along the way (say, the USB bus in the case of those adapters) will be reflected in "poor" timestamps. How far off are the timestamps in your case? answered 03 Dec '10, 16:21 wesmorgan1 |