This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark capture file timestamp display

0

Hi, When opening a capture file that contains timestamping done by third party via Wireshark, What will be the default behavior assuming packets written to the file out-of-order, display by order or be timestamp?

Thanks

asked 19 Mar '17, 00:18

yakovd's gravatar image

yakovd
6334
accept rate: 0%

When opening a capture file that contains timestamping done by third party via Wireshark

So you mean that you have a capture file with time stamping done by a third party, and you open it in Wireshark?

If so, by "timestamping" do you mean the time stamps in the packet records or time stamps in the contents of the packets?

(19 Mar '17, 22:03) Guy Harris ♦♦

Hi,

I mean the time stamps in the packet records.

(19 Mar '17, 22:45) yakovd

One Answer:

0

The default behavior is to display packets by the order in which they appear in the file. You can sort by the time stamp column, bu that's not the default.

The Wireshark package includes a command-line tool, reordercap, which will read a capture file and write the packets, sorted by their timestamps, to a new file.

answered 19 Mar '17, 23:11

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%