This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Tracing doesn't matched the users experience in terms of watching the clock on the PC, but Wireshark is about 20 seconds behind the actual time. As the trace goes on the time of the Wireshark packets gets more behind the actual time so that by the end of a 5 minute trace it is over 60 seconds behind. Why is this and can this be corrected. My platform is XP pro.

This question is marked "community wiki".

asked 16 Feb '11, 11:58

30michael's gravatar image

30michael
1111
accept rate: 0%

What's the interface captured on?

(16 Feb '11, 23:06) Jaap ♦

Can you confirm whether the problem is only real-time display or the actual timestamps on packets? The former might be if you have a very busy network and wireshark is trying to do name resolution on IP addresses and not keeping up. However this would not change the actually time stamp. The best way to check this is to look for NTP packets on the network which will of course have very-close to real timestamps. Also if you look inside HTTP headers of say HTTP 200 OK responses there will be Date: timestamp that can be compared with the libpcap (Wireshark) applied timestamp

(17 Feb '11, 22:13) martyvis
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×62

question asked: 16 Feb '11, 11:58

question was seen: 2,377 times

last updated: 17 Feb '11, 22:13

p​o​w​e​r​e​d by O​S​Q​A