Wireshark-users: Re: [Wireshark-users] Wireshark time behind the actual time

From: Phil Paradis <Phil.Paradis@xxxxxxxxxxxxxx>
Date: Mon, 23 Aug 2010 15:14:23 -0700
FiddlerCap probably just uses the system clock to generate time stamps, rather than the more precise KeQueryPerformanceCounter that WinPcap uses by default. If you can live with the 10-15ms precision of the system clock in Wireshark, you can always change the TimestampMode value in the registry.

As for the 20 second discrepancy when starting a Wireshark capture, it's possible the driver has already been running for quite some time when the capture began. Try stopping the NPF driver and then starting a capture, and see if the 20 second delay disappears. 

On Aug 20, 2010, at 3:43 PM, Gary Chaulklin wrote:

> I am running a Microsoft tool called FiddlerCap and it does not have any time issues throughout the users session, while Wireshark starts out 20 seconds slow and gets slower as the traces progress.  The user is performing tasks and recording a timeline to the second using the PC's clock.  The PC's clock may not be the issue, maybe the issue is delayed writing of packets???
>  
> The user is running another trace of JAVA activity as well so maybe we are running out of cycles.  But that doesn't seem to explain why the timings in the FiddlerCap trace continue to have accurate times.
> 
> <ATT00001..txt>

--
Phillip Paradis / Network Engineer / United Tote
Phone +1 502 509 7445 / Email phillip.paradis@xxxxxxxxxxxxxx