Manualshelf

User Guide

ManualsBrandsWireshark ManualsSoftwareWireshark Wireshark - 1.9
131132133134135136137138139140
Advanced Topics
122
7.4.2. Capture file formats
Every capture file format that Wireshark knows supports time stamps. The time stamp precision supported
by a specific capture file format differs widely and varies from one second "0" to one nanosecond
"0.123456789". Most file formats store the time stamps with a fixed precision (e.g. microseconds), while
some file formats are even capable of storing the time stamp precision itself (whatever the benefit may be).
The common libpcap capture file format that is used by Wireshark (and a lot of other tools) supports a
fixed microsecond resolution "0.123456" only.
Note!
Writing data into a capture file format that doesn't provide the capability to store the
actual precision will lead to loss of information. Example: If you load a capture file
with nanosecond resolution and store the capture data to a libpcap file (with microsecond
resolution) Wireshark obviously must reduce the precision from nanosecond to microsecond.
7.4.3. Accuracy
It's often asked: "Which time stamp accuracy is provided by Wireshark?". Well, Wireshark doesn't create
any time stamps itself but simply gets them from "somewhere else" and displays them. So accuracy will
depend on the capture system (operating system, performance, ...) that you use. Because of this, the above
question is difficult to answer in a general way.
Note!
USB connected network adapters often provide a very bad time stamp accuracy. The
incoming packets have to take "a long and winding road" to travel through the USB cable
until they actually reach the kernel. As the incoming packets are time stamped when they are
processed by the kernel, this time stamping mechanism becomes very inaccurate.
Conclusion: don't use USB connected NIC's when you need precise time stamp accuracy!
(XXX - are there any such NIC's that generate time stamps on the USB hardware?)
7.5. Time Zones
If you travel across the planet, time zones can be confusing. If you get a capture file from somewhere
around the world time zones can even be a lot more confusing ;-)
First of all, there are two reasons why you may not need to think about time zones at all:
You are only interested in the time differences between the packet time stamps and don't need to know
the exact date and time of the captured packets (which is often the case).
You don't get capture files from different time zones than your own, so there are simply no time zone
problems. For example: everyone in your team is working in the same time zone as yourself.