This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

hello,

if I get two capture files from two different systems how can I make sure that both were captured simultaneously ?

I can see in the Frame details section provide by Wireshark:

alt text

But the other trace file shows :

alt text

So there's at least 6 minutes difference. Is this information reliable ? Can it be caused by perhaps different time settings on both hosts ?

Thank you

asked 05 Jul '16, 06:24

adasko's gravatar image

adasko
86343842
accept rate: 0%


Time stamping is very much depending on the capture host clock and then some. So if there are no measures in place to sync the capture points and you have no measure of their clock difference there is little you can depend on.

If you do have a measure of their difference you can use editcap to manipulate the time stamps in one of the capture files to bring them back together. Still this won't compensate for clock drift in unsynchronized capture hosts, but could be a start. It will never be accurate though.

Further reading:

permanent link

answered 05 Jul '16, 07:31

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×75

question asked: 05 Jul '16, 06:24

question was seen: 1,586 times

last updated: 05 Jul '16, 07:31

p​o​w​e​r​e​d by O​S​Q​A