Ethereal-users: Re: [Ethereal-users] negative time

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxx>
Date: Wed, 11 Dec 2002 10:16:45 -0800
On Wed, Dec 11, 2002 at 04:29:59PM -0000, Z.Qili@xxxxxxxxxxxxx wrote:
> Does anybody know why there are so many negative time values in Ethereal?
> It seems impossible for "negative time" because the time is calculated
> comparing to the first packet sniffed.

To which time are you referring?

If you're referring to the "time since the first packet" column in the
display (the default value in the "Time" column) and the "Time relative
to first packet" item in the protocol tree, note that, in fact, in many
capture file formats (including Ethereal's native capture file format,
which is the format used by tcpdump), the packet time stamps are, in
fact, *absolute* time stamps - and if, for whatever reason, the OS code
that time-stamps the packet is giving some packets time stamps *before*
the time stamp of the first packet, that would cause the time stamp to
be negative.