First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Suggestion for Documentation Change

  • retag add tags

I began a complicated capture at 10:40 this morning, and checked on the progress many times during the day. Suddenly late in the afternoon, some packets appeared with time stamps showing the first capture with a time of less than one second. The "View" setting for Time Display Format was "Seconds since beginning of capture". The capture session had been running for over 7 hours waiting for that illusive packet to show up.

What I deduce is that "beginning of capture" means "the first packet that is captured" rather than "since the capture session began." I was not watching at the instant the first packet was captured, so I do not know precisely when that happened. (I understand that 99.9% of the time packets start being captured the instant that Wireshark starts looking. Being the 0.1% in this regard is not quite the same as when comparing income! I have now changed to logging the actual clock time. I lost about 24 hours thinking I was collecting data when I wasn't. Not a big deal in the grand scheme of things.)

Perhaps it would help others if the documentation (or even the program itself) were more specific about what "beginning of capture" MEANS.

Wireshark is the most amazing tool and my "go to" for analyzing network issues.

CrimpOn's avatar
1
CrimpOn
asked 2022-06-01 01:32:32 +0000
cmaynard's avatar
11.1k
cmaynard
updated 2022-06-01 05:04:07 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

I hope you are aware of the fact that what you referring to is the _presentation_ of time, not the timestamps as they are stored with the packets. Whenever you are looking at packets in the packet list you are free to change the Time Display Format, this has no bearing on what is stored in the capture file.

In your case you could have simply changed the Time Display Format to Time of Day as see exactly when the packet was captured.

As for your suggestion, Seconds Since Beginning of Capture could be rephrased as Seconds Since First Captured Packet, but I leave that to the native speakers.

Perhaps capture start (and stop) timestamps could be added to the pcapng file format. But that's a whole other story.

Jaap's avatar
13.7k
Jaap
answered 2022-06-01 05:27:47 +0000
edit flag offensive 0 remove flag delete link
more

Comments

1

Lack of awareness is an accurate way to describe my confusion. Admitting ignorance is humbling, but seems to be the only way I learn things.

Wireshark is now collecting (and displaying) exactly what I need, and the results make perfect sense.

Thanks.

CrimpOn's avatar CrimpOn (2022-06-01 05:41:42 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer