Ask Your Question
0

Suggestion for Documentation Change

asked 2022-06-01 01:32:32 +0000

CrimpOn gravatar image

updated 2022-06-01 05:04:07 +0000

cmaynard gravatar image

I began a complicated capture at 10:40 this morning, and checked on the progress many times during the day. Suddenly late in the afternoon, some packets appeared with time stamps showing the first capture with a time of less than one second. The "View" setting for Time Display Format was "Seconds since beginning of capture". The capture session had been running for over 7 hours waiting for that illusive packet to show up.

What I deduce is that "beginning of capture" means "the first packet that is captured" rather than "since the capture session began." I was not watching at the instant the first packet was captured, so I do not know precisely when that happened. (I understand that 99.9% of the time packets start being captured the instant that Wireshark starts looking. Being the 0.1% in this regard is not quite the same as when comparing income! I have now changed to logging the actual clock time. I lost about 24 hours thinking I was collecting data when I wasn't. Not a big deal in the grand scheme of things.)

Perhaps it would help others if the documentation (or even the program itself) were more specific about what "beginning of capture" MEANS.

Wireshark is the most amazing tool and my "go to" for analyzing network issues.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-06-01 05:27:47 +0000

Jaap gravatar image

I hope you are aware of the fact that what you referring to is the _presentation_ of time, not the timestamps as they are stored with the packets. Whenever you are looking at packets in the packet list you are free to change the Time Display Format, this has no bearing on what is stored in the capture file.

In your case you could have simply changed the Time Display Format to Time of Day as see exactly when the packet was captured.

As for your suggestion, Seconds Since Beginning of Capture could be rephrased as Seconds Since First Captured Packet, but I leave that to the native speakers.

Perhaps capture start (and stop) timestamps could be added to the pcapng file format. But that's a whole other story.

edit flag offensive delete link more

Comments

1

Lack of awareness is an accurate way to describe my confusion. Admitting ignorance is humbling, but seems to be the only way I learn things.

Wireshark is now collecting (and displaying) exactly what I need, and the results make perfect sense.

Thanks.

CrimpOn gravatar imageCrimpOn ( 2022-06-01 05:41:42 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-06-01 01:32:32 +0000

Seen: 49 times

Last updated: Jun 01