Wireshark-users: Re: [Wireshark-users] Time synchronization for capturing packets

From: "Bartosz Kiziukiewicz" <kiziuk@xxxxxxxxx>
Date: Thu, 25 Aug 2011 12:15:43 +0200
Hi Graham,

the problem with w32time service is that:
- it is only a client, so I still need to synchronize to some external server - "We do not guarantee and we do not support the accuracy of the W32Time service between nodes on a network."

The better solution would be to use apps such as OpenNTPD but it still requires additional setup.

To be frank, the best solution would be to have Precision Time Protocol server/client built into a Wireshark and a magic button "Synchronize between <list-of-machines>".
But I doubt it is available ;-)

--
BR,
Bartosz.


On Thu, 25 Aug 2011 11:56:38 +0200, Graham Bloice <graham.bloice@xxxxxxxxxxxxx> wrote:

On 25/08/2011 10:30, Bartosz Kiziukiewicz wrote:
Hi,

I was wondering what would be the best solution for solving following problem.

I'm using two or more separate Windows machines for capturing traffic in a
few network points.
The problem is that every machine has a different RTC time (even if the
difference is a few seconds).
That complicates the correct correlation of traffic dumps.

What would be the best way to solve it?

I was thinking about some external time synchronization between machines. However that would require additional network wiring and a separate NIC to
do this.
Also it would require to run some local SNTP software.
My concern also is that it will not allow a precise enough synchronization
due to the nature of Windows OS.

As I recall, the timestamp of the pcap packet is given by the WinPcap
driver, not the Wireshark itself.

Are there any other, better ways to do it?


Windows has built-in facilities to synchronise the time between machines.
Have a look at what the w32tm executable can do for you:
http://technet.microsoft.com/en-us/library/w32tm%28WS.10%29.aspx

Later versions of windows add more functionality to the command.