This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Timestamp from icmp data field

0

Why don't Windows pings ever show this field in Wireshark: Timestamp from icmp data field (icmp.data_time)?

A Linux ping always has this field right after the Sequence Number (and it's actually the first 8 bytes of the data section), but when I ping with Windows, I NEVER see this field.

Furthermore, when I open up a Linux ping capture in Windows, I CAN see this field.

asked 15 Oct '14, 10:55

Sniffer52's gravatar image

Sniffer52
16114
accept rate: 0%

2 Answers:

2

The payload of an ICMP ping is entirely implementation dependant. The Windows ping utility does not carry a timestamp in the payload, instead it's the ASCII characters a-w (on Win 8.1 at least). See RFC 792 for more info.

answered 18 Oct '14, 23:39

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

0

The ICMP dissector makes an attempt to interpret the timestamp, but is not flawless.

answered 16 Oct '14, 05:20

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

This does NOT answer my question.

The field is missing in Windows (Between the sequence number and data), but shows up in Linux. It's not a dissector issue.

(18 Oct '14, 16:45) Sniffer52

This does answer your question. If you read the code comments carefully you'll see that the dissector tries its best to make something of the data in the packet where a timestamp could be. There may be timestamp formats the dissector doesn't understand, or there may be no timestamp at all. That is what the dissector author is unsure about.

If your question really is: "why doesn't Windows fill in a timestamp in the ICMP data field", then I suggest you consult a Windows networking support site, which this is not.

(20 Oct '14, 08:39) Jaap ♦

No, grahamb answered my question.

Your answer has nothing to do with my question (to which I wrote "This does NOT answer my question").

The answer is that Windows doesn't include a timestamp in the data field, not "the ICMP dissector makes an attempt but is not flawless."

Your reply to my reply is nothing but backtracking and revising history in terms of what you wrote (...or there may be no timestamp at all) :-)

(20 Oct '14, 14:00) Sniffer52

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(20 Oct '14, 14:17) grahamb ♦