Wireshark-users: [Wireshark-users] System Clock Drift
From: "Capehart, Nolan" <Nolan.Capehart@xxxxxxxxxx>
Date: Mon, 27 Jul 2009 15:54:59 -0700
Version 1.2.0 (SVN Rev 28753) Copyright 1998-2009 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled with GTK+ 2.16.2, with GLib 2.20.3, with WinPcap (version unknown), with libz 1.2.3, without POSIX capabilities, with libpcre 7.0, with SMI 0.4.8, with c-ares 1.6.0, with Lua 5.1, with GnuTLS 2.8.1, with Gcrypt 1.4.4, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built Jun 15 2009), with AirPcap. Running on Windows Server 2003 Service Pack 2, build 3790, with WinPcap version 4.1 beta5 (packet.dll version 4.1.0.1452), based on libpcap version 1.0.0, GnuTLS 2.8.1, Gcrypt 1.4.4, without AirPcap. Built using Microsoft Visual C++ 9.0 build 30729 ---------------------------------- It appears to me that when a capture is started, and no other capture is already running, then Wireshark records the correspondence between the time-of-day reported by the OS and some other way that Wireshark keeps track of time, and that this correspondence is used for recording the time-of-day of each captured packet up until the time at which all captures are halted. This can be illustrated by these steps: 1) Start a capture, with "Update list of packets in real-time", and with the timestamps shown as time-of-day. 2) Display the system time clock. 3) Note that the timestamps on the newest packets agree with the system clock. 4) Change the system time by a large amount. 5) Note that the timestamps on the newest packets no longer agree with the system clock, as if the system clock had never been changed. 6) Start a new instance of Wireshark, and start a different capture. 7) Note that the timestamps on the newest packets on the second capture also act as if the system clock had not been changed. 8) Stop both captures, but do not close Wireshark. 9) Start a new capture. Note that now the timestamps on the newest packets agree with the modified system clock. I believe this is a reasonable way to do this. However, this creates a problem for me. I tend to run very long captures - perhaps a week long. But after a week, my system clock has been adjusted to a time server so much that I've lost the ability to correlate the Wireshark timestamps to anything that strictly uses the system clock. The only thought I've had is that I can use system-clock adjustment software such as Tardis that logs every adjustment, and then I could tediously figure out how different the system clock and the Wireshark clock are at any point in time. Well, I've also thought of an option in Wireshark to cause it to more-closely track system time for situations such as this. Each time the system clock adjusts, it would totally mess up the packet-to-packet time delta, but it would be more useful to me. Any thoughts?
- Follow-Ups:
- Re: [Wireshark-users] System Clock Drift
- From: Jaap Keuter
- Re: [Wireshark-users] System Clock Drift
- Prev by Date: Re: [Wireshark-users] Is this a known issue?
- Next by Date: Re: [Wireshark-users] 1.3.6.1.4.1.9.9.187
- Previous by thread: [Wireshark-users] Problems decode lldp frames
- Next by thread: Re: [Wireshark-users] System Clock Drift
- Index(es):