A timestamp is a sequence of characters that determines when a certain event occurred, usually the date and time of day, and is even accurate to a small fraction of a second. When we capture packets in Wireshark, each and every packet is time-stamped and saved to the capture file, so that it can be used for further analysis. The packets get their timestamp from the libpcap (Npcap) library. The host kernel provides the system’s time to the libpcap library.
Wireshark Time Display Formats:
To change the format in which Wireshark displays the time stamp, follow the steps below :
- Start the Wireshark by selecting the network we want to analyze or opening any previously saved captured file.
- Now go into the Wireshark and click on View→ Time Display Format menu or toolbar item.
Based on the screenshot above, the following are the available time display formats:
- Date and Time of Day (1970-01-01 01:02:03.123456): This option displays the date and time of the day when the packet was captured.
- Year, Day of Year, and Time of Day (1970/001 01:02:03.123456): This option displays the year, day of the year, and time of the day when the packet was captured.
- Time of Day (01:02:03.123456): This option displays the time of the day when the packet was captured.
- Seconds Since First Captured Packet: This option displays the relative time to the start of the capture file.
- Previous Captured Packet: This option displays the relative time to the previously captured packet.
- Seconds Since Previous Displayed Packet: This option displays the relative time to the previously displayed packet.
We can also adjust the precision of the time when the packet was captured. The following are the available precision:
- Automatic (from capture file)
- Seconds
- Tenths of a Second
- Hundreds of a Second
- Milliseconds
- Microseconds
- Nanoseconds
Wireshark Packet Time Referencing:
Wireshark can set and unset time reference to a packet. All the packets after the packet on which the time reference is set, display relative time. It can be very helpful in case we want to analyze packets after the reference point. We can set multiple reference points in a capture file, but they are temporary, once we close the file it gets deleted.
Wireshark’s time referencing will take effect only if the time display format is set to View → Time Display Format → “Seconds Since First Captured Packet”.
To set up the Time reference in Wireshark, follow the steps below:
- Select the packet that you want to choose as a starting point or reference point.
- Now click on the Edit → Set/Unset Time Reference menu or toolbar item.
A time-referenced packet will be marked with the string *REF* in the Time column. All the packets will display the relative time after that reference packet.