This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello,

I have completed a few captures on my network and am finding that the frame.time_delta is equal to 0 for nearly all of the packets- it's nonzero for under 1% of them. How can I fix this? I have used the frame.time_delta frequently in the past without issue and haven't had a problem. In this case, I have connected my PC and the system I'm trying to monitor (a streaming media box) to a hub, which is in turn uplinked to the rest of the network. I get normal deltas when capturing off the wireless NIC in this PC. Is it possible that the hub is causing this?

I am certain that all of my network traffic is not arriving simultaneously :) so any suggestions would be appreciated.

asked 11 Nov '14, 21:16

Katb's gravatar image

Katb
11112
accept rate: 0%


In a busy network with lot's of traffic frame.time_delta will be small (like 0.000145000 seconds) but not zero. Does frame.time_relative look like it is incrementing correctly?

The timestamp is added by winpcap or libpcap as I understand.

permanent link

answered 11 Nov '14, 21:55

martyvis's gravatar image

martyvis
8911525
accept rate: 7%

Thank you both!

What I was seeing was true zero; I had my times displayed in nanoseconds. I was using the frame time information, not TCP; I was trying to capture Cobranet traffic, which is a Layer 2 audio distribution protocol. Your comments regarding the timestamp source and network hardware led my to try a fresh install on a newer PC with a better quality NIC, which produced a capture with timestamps that make much more sense. It was surprising to me that the NIC's failure to keep up only affected the time, although having thought through it a bit more, I do understand that a calculated attribute would be low on the priority list.

Again, thank you for the help! This is really helping me research an entrenched issue with my network.

(12 Nov '14, 17:44) Katb

As marty says, you will see many packets with >1ms times. If your frame.time_delta is using milliseconds, you will see them as 0.000. Make a second column next to the frame delta (Custom tcp.time_delta Instance 0) this will give TCP time in nanoseconds (but you wont see anything on the last 3 digits unless you have pretty good / specialised Hardware. You SHOULD also go into the View | "Time Display Format" Menu and change to Microseconds. You really don't need nanoseconds at home and without the hardware you will never see anything there anyways. Also, your computer is not conencted to a hub, it passes through a hub. Unless it is a switched Hub in which case sub 1ms times are the rule, not the exception.

I tried uploading an image to show you, but I can't get it uploaded.. But basically.

Delta Delta (in Microseconds) 0.000 0.000123

I assume you have enabled TCP | Protocol Preferences | Calculate TCP Timestamps via right click in Packet Details?

permanent link

answered 12 Nov '14, 01:06

DarrenWright's gravatar image

DarrenWright
216141520
accept rate: 26%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×6

question asked: 11 Nov '14, 21:16

question was seen: 1,692 times

last updated: 13 Nov '14, 01:36

p​o​w​e​r​e​d by O​S​Q​A