Wireshark mailing list archives
Re: Wireshark time behind the actual time
From: Guy Harris <guy () alum mit edu>
Date: Fri, 20 Aug 2010 10:48:32 -0700
On Aug 20, 2010, at 4:09 AM, Gary Chaulklin wrote:
I am working with an employee in a remote location. I am getting him to run FiddlerCap and Wireshark to get plain text and packet level traces to troubleshoot an issue. The FiddlerCap trace matched the users experience in terms of watching the clock on the PC, but Wireshark is about 20 seconds behind the actual time. As the trace goes on the time of the Wireshark packets gets more behind the actual time so that by the end of a 5 minute trace it is over 60 seconds behind. The FiddlerCap trace which records timings to the millisecond always seems to be correct. Any ideas as to why the Wireshark time would be behind the actual time for this remote user? I have worked with dozens of users over a period of several years with first Ethereal then Wireshark and have never seen this particular issue. The remote user and I run the same Windows XP Professional PCs.
...which means the capture is being done using WinPcap, and thus the time stamps are coming from WinPcap.
As I remember, WinPcap has multiple time stamping modes:
In one mode, it queries the system time stamp; in that mode, the time stamps will obviously match the time stamp on the
clock on the PC (whether the PC's clock is the "actual time" is another matter), but, at least according to
http://www.osronline.com/ddkx/kmarch/k105_41iq.htm
"System time is typically updated approximately every ten milliseconds.", which means that the time stamp resolution is
only 10ms or so.
In at least some of the other modes, it uses the performance counter; in that mode, you can get higher-resolution time
stamps, but the time can drift from the system time.
I'll let the WinPcap developers give more details and corrections to the above.
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Wireshark time behind the actual time Gary Chaulklin (Aug 20)
- Re: Wireshark time behind the actual time Guy Harris (Aug 20)
- Re: Wireshark time behind the actual time Gianluca Varenni (Aug 20)
- Re: Wireshark time behind the actual time Keith French (Aug 20)
- Re: Wireshark time behind the actual time Gianluca Varenni (Aug 20)
- Re: Wireshark time behind the actual time Gianluca Varenni (Aug 20)
- Re: Wireshark time behind the actual time Guy Harris (Aug 20)
- <Possible follow-ups>
- Wireshark time behind the actual time Gary Chaulklin (Aug 23)
- Re: Wireshark time behind the actual time Phil Paradis (Aug 23)