# What is the difference between time and delta time?

Sorry for the very newbie question, I'm still trying to learn wireshark. What would be the difference between time and delta time? Also, what would be the difference between delta time and delta time displayed, as I added both columns and they give 2 different values. I'm currently trying to find a delta time of more than a second through a captured tracer file, will the filter "frame.time_delta > 1.00" work?

edit retag close merge delete

Sort by » oldest newest most voted

If you want to search for gaps of more than one 1 second within a TCP session, you can use the filter tcp.time_delta > 1. The field tcp.time_delta is calculated by calculating the difference between packets within the same tcp stream.

more

Time is when the packet was captured i.e. a fixed value.

Delta time is the time between packets - e.g. the time between packet 2 and packet 3 in a capture.

Delta time displayed is just that - the delta time between the packets displayed in the Wireshark GUI.

So if you applied a filter that hid packet 2 from view and instead you'd only see packet 1 and packet 3, delta time would still indicate the time between packet 2 and 3, but since packet 2 is now hidden, you could be fooled into thinking that it was the delta between packet 1 and packet 3.

My recommendation is to never use delta time, but stick with delta time displayed.

more

Thanks for the clarification. However, I have a different problem now. When I apply the filter "tcp && frame.time_delta_displayed >1.00" it would show an empty packet list. But without the filter, I would be able to clearly see some tcp packets that has more than a second of delta time displayed. Why is this?

( 2019-10-15 11:44:08 +0000 )edit

I don't know the internals of Wireshark to be able to answer your question in detail, but I'm speculating that the reason you cannot use delta time displayed as a filter, is because that value is calculated once Wireshark is done displaying (and filtering) everything - hence there are no values to filter on.

Instead, for that particular investigation you should use the normal delta time. Apologies that I missed that question from your original post.

So to recap: use delta time displayed for everything BUT filtering for packets with a specific delta value. You must however be very careful when using delta time as it's easy to keep filtering your data and if you will then be fooled since the values are based on the original capture and not what you're looking at.

Another solution could be to filter based on the RTT of the ACK ...(more)

( 2019-10-15 12:14:31 +0000 )edit