Ask Your Question
0

Inconsistent Wireshark Arrival Times

asked 2021-01-16 16:14:49 +0000

arnh gravatar image

I am using Wireshark to investigating poor performance on an internal LAN. One Windows 10 PC is accessing SQL Server on another Windows 10 PC over a powerline. I do not understand why the Arrival Time stamped on packets by Wireshark differs by over a second on the two PCs.

Wireshark running on the transmitting PC shows the Arrival Time for a packet being sent is 14:45:27.8. Wireshark running on the receiving PC shows this packet's Arrival Time as 14:45:26.4. [The round trip time to ACK the segment was 7 milliseconds]

Both PCs are running Windows 10 and both system clocks are synchronized to time.nist.gov. My understanding is that the Arrival Time shown by Wireshark comes from the Windows system time via Npcap.

Why are the times shown on each PC so different for the same frame?

edit retag flag offensive close merge delete

Comments

The arrival time on the receiving PC is lower than the time on the sending PC. That's not possible. Sounds like the system clock of one or both PCs is not really in sync. Have you checked this?

JasMan gravatar imageJasMan ( 2021-01-16 16:43:44 +0000 )edit

The seconds on each PC as shown in Windows Calendar are in sync. They could be out by some milliseconds, but not by a whole second. They had also been synchronised with the time signal before the capture. There's got to be some reason why Npcap is reporting different times.

arnh gravatar imagearnh ( 2021-01-16 17:20:08 +0000 )edit

Have a look at @guy-harris' answer to this question; I think it may help explain things: Frame Arrival Time drift

cmaynard gravatar imagecmaynard ( 2021-01-16 18:59:35 +0000 )edit

Thanks. I did look at @guy-harris' answer before posting. But this was about drift over a long period of time. Both my PCs are rebooted every day - so I'm assuming that npf resyncs every morning.

arnh gravatar imagearnh ( 2021-01-16 19:32:00 +0000 )edit

Have you tried to reduce the capture amount of packets by using a capture filter, which captures only the traffic between PC A and B / SQL protocol? Maybe NPF is not able to add the exact timestamp due to a high network/capture load on one of the clients.

JasMan gravatar imageJasMan ( 2021-01-17 12:02:53 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-01-17 16:01:29 +0000

JasMan gravatar image

Try to reduce the capture amount of packets by using a capture filter, which captures only the traffic between PC A and B / SQL protocol. Maybe NPF is not able to add the exact timestamp due to a high network/capture load on one of the clients.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-01-16 16:14:49 +0000

Seen: 1,009 times

Last updated: Jan 17 '21