Hi,
Maybe file creation time can help you here.
What does pcap-ng has to offer in this respect?
Thanks,
Jaap
Send from my iPhone
On 23 mrt 2010, at 19:11, Guy Harris <guy@xxxxxxxxxxxx> wrote:
On Mar 23, 2010, at 10:30 AM, specop@xxxxxx wrote:
As far as I understood it, Wireshark sets the capture start time to
the moment the first packet arrives, right? So if I start the
capture at time t and the first packet arrives at t+5s, the
capture's start time will be initialized at t+5 (time 0.000s).
Correct?
I'm not sure Wireshark reports any notion of a capture start time.
If you display packet time stamps as "seconds since first packet",
then, obviously, the first packet will have a time stamp of 0 seconds.
Is there a way to determine the real capture start time (not the
arrival of the first packet)? E.g. from a pcap file.
It's definitely *not* possible with a pcap file, as a pcap file
doesn't store the time a capture started - it only stores the time
stamps of packets in the file.
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx
>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe