Wireshark-users: Re: [Wireshark-users] Time Display issues opening traces

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 10 Jun 2011 12:49:12 -0700
On Jun 10, 2011, at 12:39 PM, Chris Alton wrote:

> That method would work if I knew what timezone the trace was from but I get traces from all kinds of different Time Zones and I'd have to change that quite often.
> I'm also pretty sure that Wireshark didn't used to do this in the past but I may be remembering incorrectly.

pcap and pcap-ng files store the time stamp as UTC (*not* as local time where the traffic was captured), and Wireshark converts and has always (dating back to before it was called Wireshark) converted it to local time.

You would, therefore, have to change the time zone setting every time you look at a trace in a different time zone.  pcap-ng, but not pcap, has the ability to record something indicating the time zone setting for a capture, but currently it's not well specified - it's currently specified as a 4-byte value with an unspecified meaning - and not supported.

> I'm also kind of confused as to why changing the times in a network trace to the local timezone would actually be of any help in the first place. I seriously tried to think of a reason and was unable to come up with anything :)

At least for pcap and pcap-ng captures - and for newer NetMon captures - it's not *changing* the time to the local time zone, it's displaying it *in* the local time zone, rather than as UTC; the alternative would be to display it as UTC, which, for most locations, would require you to, well, mentally compensate for the time zone difference.