A timestamp is a sequence of characters that determines when a certain event occurred, usually the date and time of day and even accurately to a small fraction of a second. When we capture packets in Wireshark, each and every packet is time-stamped and saved to the capture file, so that it can be used for further analysis. The packets get their timestamp from the libpcap (Npcap) library. The host kernel provides the system’s time to the libpcap library.
Wireshark Internal Format:
The internal format of the packet captured by Wireshark typically consists of the date and time of day (in nanoseconds). However, we can change the format in which the Wireshark displays the time stamp by changing the format in the “Time Display Format” menu item in the “View” menu.
The timestamp data between the capture file format and the internal format can be changed while reading and writing a capture file.
Wireshark Capture File Format:
A different capture file supports different time stamp precision in which time varies from one second to one nanosecond. A capture file might have a fixed precision or it can store the time stamp precision itself.
The captured file format of the libpcap library used by Wireshark supports a fixed microsecond resolution. If we load a capture file with nanosecond resolution and store the capture data in a libpcap file having microsecond resolution then Wireshark lowers the precision from nanosecond to microsecond.
Problems with External NIC’s:
The timestamp provided by the external NIC’s is not very precise because the captured packets have to traverse through the USB cable until they reach the host kernel. Since the incoming packets are timestamped when they are processed by the kernel, therefore this makes the timestamp with external NIC’s inaccurate.