This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

compare time between two trace files

0

hello,

if I get two capture files from two different systems how can I make sure that both were captured simultaneously ?

I can see in the Frame details section provide by Wireshark:

alt text

But the other trace file shows :

alt text

So there's at least 6 minutes difference. Is this information reliable ? Can it be caused by perhaps different time settings on both hosts ?

Thank you

asked 05 Jul '16, 06:24

adasko's gravatar image

adasko
86343842
accept rate: 0%


One Answer:

0

Time stamping is very much depending on the capture host clock and then some. So if there are no measures in place to sync the capture points and you have no measure of their clock difference there is little you can depend on.

If you do have a measure of their difference you can use editcap to manipulate the time stamps in one of the capture files to bring them back together. Still this won't compensate for clock drift in unsynchronized capture hosts, but could be a start. It will never be accurate though.

Further reading:

answered 05 Jul '16, 07:31

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%