This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark time behind the actual time

0

Tracing doesn't matched the users experience in terms of watching the clock on the PC, but Wireshark is about 20 seconds behind the actual time. As the trace goes on the time of the Wireshark packets gets more behind the actual time so that by the end of a 5 minute trace it is over 60 seconds behind. Why is this and can this be corrected. My platform is XP pro.

This question is marked "community wiki".

asked 16 Feb '11, 11:58

30michael's gravatar image

30michael
1111
accept rate: 0%

What's the interface captured on?

(16 Feb '11, 23:06) Jaap ♦

Can you confirm whether the problem is only real-time display or the actual timestamps on packets? The former might be if you have a very busy network and wireshark is trying to do name resolution on IP addresses and not keeping up. However this would not change the actually time stamp. The best way to check this is to look for NTP packets on the network which will of course have very-close to real timestamps. Also if you look inside HTTP headers of say HTTP 200 OK responses there will be Date: timestamp that can be compared with the libpcap (Wireshark) applied timestamp

(17 Feb '11, 22:13) martyvis