Thanks. I have looked at the traces, one taken from XP, the other from
Vista. The time difference is around 2.5 seconds!!!!! This is why I
thought the traces were not being merged properly.
I will attempts to compensate as suggested by Sake.
Chris
-----Original Message-----
From: Guy Harris [mailto:guy@xxxxxxxxxxxx]
Sent: 18 June 2008 23:17
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Capturing and merging files from
differentmachines
On Jun 18, 2008, at 2:13 PM, Chris Swinney wrote:
> I may have miss read the merged file. I'm not sure if the merged
> file is totally correct as I seem to be getting responses before
> requests, but they DO appear to be in chronological order. I'm not
> sure at which point the time stamp is applied to the packet and if
> the sniffing PC's have any effect on this - I think not. I assume
> that the time stamp is applied to the header by whatever device sent
> the packet, not by a device listening.
No. The time stamps Wireshark gets from libpcap/WinPcap when it's
capturing are the time stamps libpcap/the user-mode WinPcap code get
from the OS's native capture mechanism/the WinPcap driver; from the
point of view of libpcap/WinPcap, packets are time-stamped when they
are *received*, not when they are *sent*.
Note also that the time stamp value comes from the clock's value at
the time the time-stamping code runs; that could be after the packet
is received by the network adapter or provided to the network adapter
by the host. See the page Sake Blok mentioned in his message:
http://wiki.wireshark.org/Timestamps