Wireshark-users: Re: [Wireshark-users] Timestamp Skew
From: Lee Riemer <lriemer@xxxxxxxxxxxx>
Date: Thu, 14 Jan 2010 12:19:57 -0600
The sniffer server is syncing with NTP, and this is also a dual core system.  You may be on to something, though.  If the box is correcting it's skew with NTP, wireshark might not be if it isn't polling the time for each packet.

Anyone know exactly how WS picks the time to stamp?

On 1/14/2010 12:07 PM, Michael Glenn wrote:
Is it just the sniffer, or is the server itself also drifting?

>>> Lee Riemer <lriemer@xxxxxxxxxxxx> 01/14/2010 12:54 >>>
I wanted to post here before clogging the bug tracker.

I'm running 1.2.2-22910 on a Windows Server 2003 box dedicated to
sniffing.  I have captures running for weeks using dumpcap as well as
some in the GUI.  My reason for posting is that the timestamps have
skewed in to the future.  Right now I can send a packet to update my
capture and notice about a 4 minute difference between the time on the
box and the timestamp wireshark displays.  This does carry over to other
systems when I open the files there.

Anyone heard of this.  I think the best way to reproduce is to leave a
capture running for a day or so.

Thanks,
Lee
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe