Wireshark-users: Re: [Wireshark-users] Capturing and merging files from different machines
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: "Chris Swinney" <swin@xxxxxxxxxxxxx>
Date: Wed, 18 Jun 2008 22:13:20 +0100
I may have miss read the merged file. I'm not sure if the merged file is totally correct as I seem to be getting responses before requests, but they DO appear to be in chronological order. I'm not sure at which point the time stamp is applied to the packet and if the sniffing PC's have any effect on this - I think not. I assume that the time stamp is applied to the header by whatever device sent the packet, not by a device listening.

Somebody else mentioned a way to correct these offsets, so I may give this a go. 

Chris
 


-----Original Message-----
From: Jeff Morriss [mailto:jeff.morriss.ws@xxxxxxxxx] 
Sent: 18 June 2008 16:45
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Capturing and merging files from different machines



Chris Swinney wrote:
> Hi,
> 
> I have taken a capture on two different machines from an in-line network 
> tap (one to capture upstream, one to capture downstream data). I now 
> need to merge these file, but when I ask Wireshark to merge them 
> chronologically, it seems to merge them based on the initial time taken 
> into the capture, not the actual capture time.
> 
> I have tried to mitigate time differences by synching both machines to 
> an NTP server, but of course both captures are themselves started a 
> different times. How can I best accomplish what I want? I've had a look 
> at mergecap (as well as the inbuilt merge facility as shown above), but 
> am not sure if this will still do what I'm after.

Maybe I'm being naive here but I would expect a "chronological merge" to 
merge the packets based on their (absolute) timestamps (that is, based 
on the time stamp of each packet--which is in secs+usecs since the 
epoch), not based on seconds since the beginning of the capture file.

(In fact I merge capture files quite frequently so I somewhat depend on 
this functionality.)

Questions:

- what version of Wireshark are you using?
- what is your time display format (time of day, seconds since beginning 
of capture, etc.)?  Not that it should matter, but...