Inconsistent Wireshark Arrival Times
I am using Wireshark to investigating poor performance on an internal LAN. One Windows 10 PC is accessing SQL Server on another Windows 10 PC over a powerline. I do not understand why the Arrival Time stamped on packets by Wireshark differs by over a second on the two PCs.
Wireshark running on the transmitting PC shows the Arrival Time for a packet being sent is 14:45:27.8. Wireshark running on the receiving PC shows this packet's Arrival Time as 14:45:26.4. [The round trip time to ACK the segment was 7 milliseconds]
Both PCs are running Windows 10 and both system clocks are synchronized to time.nist.gov. My understanding is that the Arrival Time shown by Wireshark comes from the Windows system time via Npcap.
Why are the times shown on each PC so different for the same frame?
Comments
The arrival time on the receiving PC is lower than the time on the sending PC. That's not possible. Sounds like the system clock of one or both PCs is not really in sync. Have you checked this?
The seconds on each PC as shown in Windows Calendar are in sync. They could be out by some milliseconds, but not by a whole second. They had also been synchronised with the time signal before the capture. There's got to be some reason why Npcap is reporting different times.
Have a look at @guy-harris' answer to this question; I think it may help explain things: Frame Arrival Time drift
Thanks. I did look at @guy-harris' answer before posting. But this was about drift over a long period of time. Both my PCs are rebooted every day - so I'm assuming that npf resyncs every morning.
Have you tried to reduce the capture amount of packets by using a capture filter, which captures only the traffic between PC A and B / SQL protocol? Maybe NPF is not able to add the exact timestamp due to a high network/capture load on one of the clients.