On Mar 23, 2010, at 10:30 AM, specop@xxxxxx wrote:
> As far as I understood it, Wireshark sets the capture start time to the moment the first packet arrives, right? So if I start the capture at time t and the first packet arrives at t+5s, the capture's start time will be initialized at t+5 (time 0.000s). Correct?
I'm not sure Wireshark reports any notion of a capture start time. If you display packet time stamps as "seconds since first packet", then, obviously, the first packet will have a time stamp of 0 seconds.
> Is there a way to determine the real capture start time (not the arrival of the first packet)? E.g. from a pcap file.
It's definitely *not* possible with a pcap file, as a pcap file doesn't store the time a capture started - it only stores the time stamps of packets in the file.