On Thu, Aug 25, 2011 at 11:30:09AM +0200, Bartosz Kiziukiewicz wrote:
> I'm using two or more separate Windows machines for capturing traffic
> in a few network points. The problem is that every machine has a
> different RTC time (even if the difference is a few seconds). That
> complicates the correct correlation of traffic dumps.
You can modify timestamps in capture files using the editcap command
line utility. In the most recent development versions of Wireshark
(http://www.wireshark.org/download/automated/), there is a new feature
under the Edit menu called "Time Shift" that has various choices for
modifying the timestamps of packets:
Shift all packets / Time offset
Set (one) packet to time
Set packets to time and extrapolate