Ask Your Question
0

What is the difference between time and delta time?

asked 2019-10-15 11:19:07 +0000

tada234 gravatar image

Sorry for the very newbie question, I'm still trying to learn wireshark. What would be the difference between time and delta time? Also, what would be the difference between delta time and delta time displayed, as I added both columns and they give 2 different values. I'm currently trying to find a delta time of more than a second through a captured tracer file, will the filter "frame.time_delta > 1.00" work?

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2019-10-15 18:01:00 +0000

SYN-bit gravatar image

If you want to search for gaps of more than one 1 second within a TCP session, you can use the filter tcp.time_delta > 1. The field tcp.time_delta is calculated by calculating the difference between packets within the same tcp stream.

edit flag offensive delete link more
0

answered 2019-10-15 11:25:41 +0000

NJL gravatar image

updated 2019-10-15 11:32:13 +0000

Time is when the packet was captured i.e. a fixed value.

Delta time is the time between packets - e.g. the time between packet 2 and packet 3 in a capture.

Delta time displayed is just that - the delta time between the packets displayed in the Wireshark GUI.

So if you applied a filter that hid packet 2 from view and instead you'd only see packet 1 and packet 3, delta time would still indicate the time between packet 2 and 3, but since packet 2 is now hidden, you could be fooled into thinking that it was the delta between packet 1 and packet 3.

My recommendation is to never use delta time, but stick with delta time displayed.

edit flag offensive delete link more

Comments

Thanks for the clarification. However, I have a different problem now. When I apply the filter "tcp && frame.time_delta_displayed >1.00" it would show an empty packet list. But without the filter, I would be able to clearly see some tcp packets that has more than a second of delta time displayed. Why is this?

tada234 gravatar imagetada234 ( 2019-10-15 11:44:08 +0000 )edit

I don't know the internals of Wireshark to be able to answer your question in detail, but I'm speculating that the reason you cannot use delta time displayed as a filter, is because that value is calculated once Wireshark is done displaying (and filtering) everything - hence there are no values to filter on.

Instead, for that particular investigation you should use the normal delta time. Apologies that I missed that question from your original post.

So to recap: use delta time displayed for everything BUT filtering for packets with a specific delta value. You must however be very careful when using delta time as it's easy to keep filtering your data and if you will then be fooled since the values are based on the original capture and not what you're looking at.

Another solution could be to filter based on the RTT of the ACK ...(more)

NJL gravatar imageNJL ( 2019-10-15 12:14:31 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-10-15 11:19:07 +0000

Seen: 22,218 times

Last updated: Oct 15 '19