This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

A question on time delta in packet.

0
1

Can you please help to investigate for “Time delta from previous captured frame: 0.000000000 seconds” and “Time delta from previous displayed frame: 0.000000000 seconds” values.

the packets are not the first packet, I want to know that how wireshare show the time delta, get time of packet directly? this time is in interior of the original packet or laptop makes a timestamp while receive it?

asked 15 Oct '15, 19:38

tansg631's gravatar image

tansg631
6121
accept rate: 0%

I want to know why some packets with 0 time delta

(15 Oct '15, 19:38) tansg631

Could you provide us a trace?

(15 Oct '15, 22:05) Christian_R
1

Did you take the capture in a virtual system? If so, this can happen due to several reasons, related to virtualization.

(16 Oct '15, 03:10) Kurt Knochner ♦

2 Answers:

0

It is possible for packet captures to not contain correct timestamps (ie: all zeros), particularly if they were imported from a text file or hex dump, where the dump didn't contain the time information. In such case, those time display settings won't help you because the information isn't actually there to be found in the file. In your example, if all the 'delta time' values are 0, then likely that is why.

How did you actually get the packet capture? Directly from a live capture on the laptop or from elsewhere?

answered 15 Oct '15, 22:05

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%

edited 15 Oct '15, 22:09

thank you for you reply, I captured on live network, not all packets met this problem, just a few packets, the time delta is 0. do you mean the timestamp is in the packet in live network? wireshare just get timestamp and show it? or the timestamp is marked while arrived the laptop? thank you

(15 Oct '15, 23:55) tansg631

0

One reason could be that the time resolution inside the trace file is greater than the gap between two frames. But they should show the same absolute time value, in that case.

Remark: This could mainly caused by those things. - Common resolution of pcap is ms. - You switched the time format manually higher in Wireshark ( maybe you could post us two absolute time values) - The inter frame gap is 0 ns, this could theoretically happen in a full duplex trace

answered 16 Oct '15, 00:37

Christian_R's gravatar image

Christian_R
1.8k2625
accept rate: 16%