I am trying to get time since request(http.time) value from another application. So I am wondering if that is a standard function on winpcap, or does wireshark calculate it by itself? (and how does it calculate?)
asked 13 Oct '15, 16:23
edited 13 Oct '15, 16:24
http.time is, as Christian said, calculated by Wireshark, but it is calculated in different ways, depending on your preference settings.
The client sends a request, let's say a GET request, and for the sake of simplicity, let's assume that the GET request fits in one packet.
The server sends a response, hopefully a "200 OK" response, followed by the data that was requested. The OK response will be in the first packet from the server, followed immediately, in the same packet, by however much of the data will fit. The rest of the data follows in additional packets. So occasionally, the 200 OK and all of the data will be in one packet, but usually the response will span multiple packets with the OK in the first one.
If the TCP preference "Allow subdissector to reassemble TCP streams" is off, the http.time will be the time between the GET request and the first packet of the response, the one containing the OK.
If "Allow subdissector to reassemble TCP streams" is on and the HTTP reassembly preferences have been left at their defaults (on), http.time will be the time between the GET request and the last packet of the response.
answered 14 Oct '15, 06:38
It is calculated by Wireshark. A value which is calculated by Wireshark itsself could be identified by the brackets
answered 13 Oct '15, 16:29