This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.
0
1

I've been using Wireshark/Ethereal for several years and now I observe a very odd behaviour (Wireshark 1.4.2/1.4.6 and PCap 4.1.2) on a HP Compaq 8000 Elite CMT with Windows XP SP3 32bit.

When I start the capture, the timestamp of the immediately captured packet is okay. The more time passes, the more does the timestamp deviate from the real time. That is, after 10 seconds of real time passed, Wireshark will timestamp that only 4 seconds passed - no matter what the timeview format is. The clocks completely differ after some time (the OS clock will show something like 11:42:15 and when I provoke a packet then, the timestamp might say 11:40:57 or in the Seconds since Capture view, the first packet has 0 seconds, then I wait 10 seconds, send a packet and the packet has just 4 seconds as timestamp).

I've other software that timestamps received packets and this other software works though - the timestamps are correct. I can run them simultaneously, too and see the difference between the timestamps for the very same packet, up to minutes, if I let Wireshark run long enough. (As far as I can tell, Wireshark/PCap seems to retrieve the current time once and then internally counts the time while the capture is running - and this does not work properly on this machine for whatever reason).

I've reinstalled Wireshark and PCap, deinstalled nearly every other software etc. I've checked the BIOS if there are time related settings... right now I'm at a loss what else I can do. Wireshark works fine on my other computers (be it XP or Linux).

Additional: This is not just a timestamp delay due to performance issues or network traffic. The timestamps are plain wrong. It happens with single packets, name resolutions disabled etc. I've two network cards in the machine and the behaviour is the same for both.

asked 03 May '11, 02:26

Iyanga's gravatar image

Iyanga
1122
accept rate: 0%

edited 03 May '11, 02:34


Have a look at this thread on the wireshark mailing-list.

permanent link

answered 04 May '11, 00:14

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Wireshark gets it frames, timestamped and all, from the WinPcap driver. Somehow that driver isn't able to track time, maybe due to the way it integrates with your network driver and or network stack. You could try running in a different mode (NPF driver of not), try a previous WinPcap version. Otherwise the WinPcap mailing list may be of help.

permanent link

answered 03 May '11, 23:48

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×62

question asked: 03 May '11, 02:26

question was seen: 11,953 times

last updated: 04 May '11, 00:14

p​o​w​e​r​e​d by O​S​Q​A