..... and not when the first packet is seen?
I want to be able to time network events from the time a device is powered up (which is when I start the capture file). Currently I can only see timers starting when the first packet is captured.
I think you want the time of the first packet to display the offset from when the capture was started, rather than the current (when "Seconds Since Beginning of Capture" time format is selected) 0.000000.
Unfortunately, I don't think that's currently possible as the capture file format (pcap or pcapng) doesn't record the start time of the capture, only the timestamp of each packet.
It might be possible to add the capture start time to the capture, please raise an enhancement request on the Wireshark Bugzilla.
Asked: 2019-07-31 08:00:37 +0000
Seen: 700 times
Last updated: Jul 31 '19
And what timer would this be? Are you referring to the timestamp of the first packet?
Hi. No Id like the timer to start when I click the capture start button so I can time the delay from a device powering up to when it starts its network activity.
I think you'd need to start capturing on another machine and then generate a packet (ping, for example) while simultaneously powering up the Device Under Test (DUT). Your capture machine should capture the marker packet and that will allow you to have a time reference you can use for all other measurements.
A marker I like to use instead of an ICMP echo request (ping) is a syslog packet generated from
nc(a.k.a., netcat). For example:[Conduct tests.]
Hi - thanks for responding. I wont be able to ping the capture machine in this case as its connected to a SPAN destination port for the purpose of capturing. I like your suggestion of using marker packets and will certainly make use of them where possible. Thanks again
You should still be able to capture the marker though, right? You don't really care if the switch actually passes the packet or not, only that the capture device connected to the switch records the marker in the capture file, which it should.