 | 1 | initial version |
For time stamps in captures, Wireshark uses the time stamp from the capture file, and dumpcap, when writing out a live capture file, uses the time stamp from the capture mechanism.
I.e., Wireshark doesn't generate those time stamps, the capture mechanism does.
In this case, as you're capturing on Windows, the time stamps are coming from WinPcap or Npcap.
For WinPcap, here's a mail message from one of the WinPcap developers describing the time stamp modes that WinPcap provides. As it notes, WinPcap can either provide a low-precision time stamp based on the system clock or a higher-precision clock, based on a higher-precision timer but not synchronized with the system clock, as that's all the hardware and Windows OS provided at the time.
For Npcap, here's an issue comment describing the time stamp modes that Npcap provides (and also mentioning an undocumented deprecated mode, not mentioned in the aforementioned mail message, supported in WinPcap but not in Npcap). It notes that newer versions of Npcap, on Windows 8 or later, provide a new time stamp mode that provides a higher-precision clock that is synchronized with the system clock; it requires Windows 8 because prior versions of Windows didn't make that time stamp available. (As I said in that comment, for more than you ever wanted to know about getting time stamps in Windows, see Acquiring high-resolution time stamps.)
The Windows installers for Wireshark, prior to version 3.x, included the WinPcap installer; starting with 3.0.0, the installer included the Npcap installer. That's why there's a difference between pre-3.0 releases and 3.0 and later - there's a difference in the capture mechanism that they install. It's not a difference in the Wireshark code.
Please note that the mail message about WinPcap indicates that the WinPcap registry key for the time stamp mode is HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NPF\TimestampMode and that the first comment in the issue about Npcap indicates that the Npcap registry key for the time stamp mode is HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\npcap\Parameters\TimestampMode. This means that changing the registry key for WinPcap will not affect Npcap; you will need to add or change the Npcap registry key. That's why the WinPcap registry key had no effect with Wireshark 3.x - it was using Npcap, which doesn't look at the WinPcap registry keys.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
