Wireshark-users: Re: [Wireshark-users] Splitting up large .pcap file results in inconsistent time

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 28 Jul 2010 11:15:56 -0700
On Jul 28, 2010, at 9:13 AM, Yida Gao wrote:

> So I have a large simulation that is about 600 seconds long. 
> I split up the large .pcap file using editcap:
> 
> editcap -i 100 Fulltest-1-0.pcap  100seconds.pcap
> 
> However, when I open each of the files produced (6 of them), they all start with time 0, and end at around time 99. Why aren't the files continuous with the time?

They *are* continuous; you're just displaying them wrong.

In pcap files:

	1) there is *NO* indication of when a capture was started;

	2) each packet has a time stamp, represented as seconds since January 1, 1970, 00:00:00 UTC.

In Wireshark, the time stamp can be displayed as:

	1) an absolute time (for example, "2010-07-28 11:07:00.0000");

	2) a time relative to the first packet in the file (seconds and fractions of a second since that packet);

	3) times relative to the previous packet (captured or displayed).

If you display times relative to the first packet in the file, therefore, *by definition* the first packet will have a time stamp of 0, as the number of seconds between a packet and itself is inherently 0.

> I would assume the last .pcap file would go from 500 seconds to 600 seconds.


The first file goes from T through T+99, where T is the time stamp - represented as seconds since January 1, 1970, 00:00:00 UTC - of the first packet in Fulltest-1-0.pcap.  The second file goes from T+100 through T+199, the third file goes from T+200 through T+299, the fourth file goes from T+300 through T+399, the fifth file goes from T+400 through T+499, and the last file goes from T+500 through T+599.  If by "500 seconds to 600 seconds" you mean "from 500 seconds into the simulation to 600 seconds into the simulation", i.e. "from 500 seconds into the simulation through 599 seconds into the simulation", that *is* what the last pcap file does.

> How can I make the files continuous??

They *are* continuous.

If you mean "how can I view the files so that the times appear continuous", view the time stamps as absolute times, not times relative to the first packet in the file.