I began a complicated capture at 10:40 this morning, and checked on the progress many times during the day. Suddenly late in the afternoon, some packets appeared with time stamps showing the first capture with a time of less than one second. The "View" setting for Time Display Format was "Seconds since beginning of capture". The capture session had been running for over 7 hours waiting for that illusive packet to show up.
What I deduce is that "beginning of capture" means "the first packet that is captured" rather than "since the capture session began." I was not watching at the instant the first packet was captured, so I do not know precisely when that happened. (I understand that 99.9% of the time packets start being captured the instant that Wireshark starts looking. Being the 0.1% in this regard is not quite the same as when comparing income! I have now changed to logging the actual clock time. I lost about 24 hours thinking I was collecting data when I wasn't. Not a big deal in the grand scheme of things.)
Perhaps it would help others if the documentation (or even the program itself) were more specific about what "beginning of capture" MEANS.
Wireshark is the most amazing tool and my "go to" for analyzing network issues.
