Sunday, November 17, 2024
Google search engine
HomeNewsTime Display Formats and Time References in Wireshark

Time Display Formats and Time References in Wireshark

A timestamp is a sequence of characters that determines when a certain event occurred, usually the date and time of day, and is even accurate to a small fraction of a second. When we capture packets in Wireshark, each and every packet is time-stamped and saved to the capture file, so that it can be used for further analysis.  The packets get their timestamp from the libpcap (Npcap) library. The host kernel provides the system’s time to the libpcap library.  

Wireshark Time Display Formats:

To change the format in which Wireshark displays the time stamp, follow the steps below :

  • Start the Wireshark by selecting the network we want to analyze or opening any previously saved captured file.
  • Now go into the Wireshark and click on View→ Time Display Format menu or toolbar item.
Wireshark Time Display Format

 

Based on the screenshot above, the following are the available time display formats:

  • Date and Time of Day (1970-01-01 01:02:03.123456): This option displays the date and time of the day when the packet was captured.
  • Year, Day of Year, and Time of Day (1970/001 01:02:03.123456): This option displays the year, day of the year, and time of the day when the packet was captured.
  • Time of Day (01:02:03.123456): This option displays the time of the day when the packet was captured.
  • Seconds Since First Captured Packet: This option displays the relative time to the start of the capture file. 
  • Previous Captured Packet:  This option displays the relative time to the previously captured packet.
  • Seconds Since Previous Displayed Packet:  This option displays the relative time to the previously displayed packet.

We can also adjust the precision of the time when the packet was captured. The following are the available precision:

  • Automatic (from capture file)
  • Seconds
  • Tenths of a Second 
  • Hundreds of a Second
  • Milliseconds
  • Microseconds
  • Nanoseconds

Wireshark Packet Time Referencing:

Wireshark can set and unset time reference to a packet. All the packets after the packet on which the time reference is set, display relative time. It can be very helpful in case we want to analyze packets after the reference point. We can set multiple reference points in a capture file, but they are temporary, once we close the file it gets deleted.

Wireshark’s time referencing will take effect only if the time display format is set to View → Time Display Format → “Seconds Since First Captured Packet”

To set up the Time reference in Wireshark, follow the steps below:

  • Select the packet that you want to choose as a starting point or reference point.
  • Now click on the Edit → Set/Unset Time Reference menu or toolbar item.
Wireshark Time Display Format

 

A time-referenced packet will be marked with the string *REF* in the Time column. All the packets will display the relative time after that reference packet.

REF Captured Result

 

Whether you’re preparing for your first job interview or aiming to upskill in this ever-evolving tech landscape, lazyroar Courses are your key to success. We provide top-quality content at affordable prices, all geared towards accelerating your growth in a time-bound manner. Join the millions we’ve already empowered, and we’re here to do the same for you. Don’t miss out – check it out now!

RELATED ARTICLES

Most Popular

Recent Comments