Re: Wireshark time behind the actual time

["Gianluca Varenni" <gianluca.varenni () cacetech com>]

--------------------------------------------------
From: "Guy Harris" <guy () alum mit edu>
Sent: Friday, August 20, 2010 10:48 AM
To: "Community support list for Wireshark" <wireshark-users () wireshark org>
Subject: Re: [Wireshark-users] Wireshark time behind the actual time

> On Aug 20, 2010, at 4:09 AM, Gary Chaulklin wrote:
>
> > I am working with an employee in a remote location.  I am getting him to 
> > run FiddlerCap and Wireshark to get plain text and packet level traces to 
> > troubleshoot an issue.
> >
> > The FiddlerCap trace matched the users experience in terms of watching 
> > the clock on the PC, but Wireshark is about 20 seconds behind the actual 
> > time.  As the trace goes on the time of the Wireshark packets gets more 
> > behind the actual time so that by the end of a 5 minute trace it is over 
> > 60 seconds behind.  The FiddlerCap trace which records timings to the 
> > millisecond always seems to be correct.
> >
> > Any ideas as to why the Wireshark time would be behind the actual time 
> > for this remote user?  I have worked with dozens of users over a period 
> > of several years with first Ethereal then Wireshark and have never seen 
> > this particular issue.
> >
> > The remote user and I run the same Windows XP Professional PCs.
>
> ...which means the capture is being done using WinPcap, and thus the time 
> stamps are coming from WinPcap.
>
> As I remember, WinPcap has multiple time stamping modes:
>
> In one mode, it queries the system time stamp; in that mode, the time 
> stamps will obviously match the time stamp on the clock on the PC (whether 
> the PC's clock is the "actual time" is another matter), but, at least 
> according to
>
> http://www.osronline.com/ddkx/kmarch/k105_41iq.htm
>
> "System time is typically updated approximately every ten milliseconds.", 
> which means that the time stamp resolution is only 10ms or so.
>
> In at least some of the other modes, it uses the performance counter; in 
> that mode, you can get higher-resolution time stamps, but the time can 
> drift from the system time.
>
> I'll let the WinPcap developers give more details and corrections to the 
> above.

There is not much to add to it. WinPcap by default uses a timestamping 
source that is quite accurate but gets synchronized with the system clock 
only at the beginning of a capture (it's actually more complicated than 
this. The point is that it doesn't resync during the capture). There is an 
option (through the registry) to change the timestamping mode and use the 
system time. The problem with that is that the system time gets updated 
every X milliseconds (where X can be something between 1 and 15 or so).

Have a nice day
GV



> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request () wireshark org?subject=unsubscribe 

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe