Ask Your Question
0

How can I change the time to match reality?

asked 2019-07-09 01:24:20 +0000

Glenn Varnon gravatar image

When Wireshark starts off, the time is zero. I wanted to change the time so that it made sense in the month day year and hour/minute and seconds.

I selected Edit->Time Shift.... I then clicked on the "Set the time for packet" to packet I wanted to set the time to. I then entered 2019-07-08 (space) 12:15:00. The box turned green which I assume means that it is an acceptable format. I clicked the "apply" button.

Nothing changed.

So how do I get the time to change to the time I want?

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2019-07-09 02:41:43 +0000

Hi Glenn,

Time Shift allows you to "shift" the timestamp on captured packets.

This is helpful when looking at capture files across time zones. (This is one example.)

You look at a capture (PCAP) done in UTC 0 but you are in UTC +5.

Time shift allows you to shift all timestamps by five hours so that you are looking at timestamps for your time zone.

Did you look at Time Display Format?

Go to View -> Time Display Format

It's possible you are seeing the time column as "Seconds Since Beginning of Capture" (CTRL+ALT+4)

If that is the case try to use "Date and Time of Day" (CTRL+ALT+1) or simply "Time of Day" (CTRL+ALT+2)

Hope this helps.

Cheers,

JFD

edit flag offensive delete link more

Comments

Time shift allows you to shift all timestamps by five hours so that you are looking at timestamps for your time zone.

When you select the time display format "Date and Time of Day", the packets are already displayed in your timezone (the timezone configured on your system). No need to do a time-shift. Time shift can be used when you know that the timestamps in the capture file are not correct (due to not synchronizing time on the capture host).

SYN-bit gravatar imageSYN-bit ( 2019-07-09 13:36:32 +0000 )edit
0

answered 2019-07-09 02:43:51 +0000

Jim Aragon gravatar image

The default setting for Wireshark's Time column is "Seconds Since Beginning of Capture," and with that setting, the first packet is always going to be zero, regardless of what time of day it was captured.

You can see the actual time of day in the Frame section. If you want to also see the time of day in the Time column, go to View > Time Display Format and select one of the choices that displays the time of day.

Don't use the Time Shift function for this. The Time Shift function will change the actual arrival time of the packet. You don't want to change the recorded arrival time, you want to just change how the time is _displayed_.

"Seconds Since Beginning of Capture" is useful if you want to apply Time References in order to see elapsed times, so you could also leave the Time column setting at the default and add a second custom time column to show the time of day.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2019-07-09 01:24:20 +0000

Seen: 81 times

Last updated: Jul 09