 | 1 | initial version |
Switch the Time Display Format to Time of Day and visually confirm that the packets are in chronological order.
This can also be confirmed by running Wireshark's cli utility capinfos and checking the value of the Strict time order: field.
True indicates packets timestamps are in chronological order, False indicates that they are not.
When packets are not written to the capture in strict chronological order, Wireshark's various elapsed time analysis can result in physics defying duration reported between a query and its subsequent reply.
There are various reasons why capturing mechanisms produce captures where Strict time order of False. In some cases the actual order of the packets in the file is correct but the timestamps are just wrong. In other cases the timestamps of the packet are correct but order within the file is wrong. In the former case the editcap utility can be used to rewrite the timestamps of individual packets to ultimately satisfy the 'Strict time order' test. In the latter case the reordercap utility can be used to change to sort the packets by the original timestamps to also satisfy the 'Strict time order' test.
