time not working - always shows boot time of PC

2023-04-24 09:30:58 +0000

LBee

Running Wireshark 4.0.5 on Win 11 a have an issue with time column - It always shows boot-time of PC, instead of the time the packet was captured.

I have tried downloading v.4.0.4 (portable) but the issue is the same. Also tried the different "Time Display Formats", but it just shows the boot-time in different ways.

If I open a command prompt, and execute the "time"-command it shows the actual time

Any idea what could be wrong?


What version of npcap are you using, this will be shown in the "Running on" section of the Help->About Wireshark dialog.

grahamb ( 2023-04-24 09:59:55 +0000 )

Hi Graham

Looks like 1.74

Running on 64-bit Windows (22H2), build 22624, with AMD Ryzen 7 2700 Eight-Core Processor (with SSE4.2), with 65467 MB of physical memory, with GLib 2.72.3, with PCRE2 10.40 2022-04-14, with Qt 5.15.2, with Npcap version 1.74, based on libpcap version 1.10.3, with c-ares 1.18.1, with GnuTLS 3.6.3, with Gcrypt 1.10.1, with nghttp2 1.46.0, with brotli 1.0.9, with LZ4 1.9.3, with Zstandard 1.5.2, without AirPcap, with light display mode, without HiDPI, with LC_TYPE=English_United Kingdom.utf8, binary plugins supported.
LBee ( 2023-04-24 10:04:39 +0000 )

1 Answer

2023-04-24 10:16:53 +0000

grahamb

updated 2023-04-24 10:50:51 +0000

OK, like you I have manually installed npcap 1.74 and have the same issue, timestamps in captures are all identical and look to be the PC boot time.

This would be an npcap issue, I have raised it on their GitHub issue tracker, see here.

Edit, fixed npcap issue link,

I un-installed wireshark + npcap, an rebooted my PC. Then downloaded, and installed Wireshark (with pcap).

When starting Wireshark it came with a message about I have to disable "promiscuous mode" on the interface. Did that, and now time-column are showing correct values.

I didn't get that message, when I installed the pcap manually - maybe disabling that could have solved the issue in the first place (dont know what "promiscuous mode" is/does).

At least there is a workaround for the issue

Thanks for your help

LBee ( 2023-04-24 10:34:39 +0000 )

You've probably reverted to an older version of npcap. Wireshark 4.0.5 comes with npcap 1.71 that has the "promiscuous mode" issue, e.g. here.

grahamb ( 2023-04-24 10:54:20 +0000 )

@grahamb: Maybe you want to amend the npcap issue, which lists the Npcap version as 1.7.4, while it's 1.74

Jaap ( 2023-04-24 11:08:22 +0000 )

You're right of course - I didn't think of that when I installed it.

LBee ( 2023-04-24 11:09:37 +0000 )

@Jaap, fixed.

grahamb ( 2023-04-24 11:32:13 +0000 )

