Wireshark · Wireshark-users: Re: [Wireshark-users] Capture start time

Wireshark-users: Re: [Wireshark-users] Capture start time

From: Guy Harris <guy@xxxxxxxxxxxx>

Date: Tue, 23 Mar 2010 16:47:41 -0700

On Mar 23, 2010, at 4:09 PM, Jaap Keuter wrote:

> Maybe file creation time can help you here.

...if you're running on an OS that supports a creation time (Windows, some but not all UN*Xes) and the file is on a file system that supports it.  (Wireshark currently doesn't attempt to get the creation time on any UN*X, and I don't think it does so on Windows, either.)

> What does pcap-ng has to offer in this respect?

The Interface Statistics Block has capture start time and capture end time options; that block appears to be intended to appear at the *end* of the capture, so if you're running a one-pass program, you can't display packet time stamps as "seconds since the capture started".

If there was a capture start time option for the Interface Description Block, that would be possible.

References:
- [Wireshark-users] Capture start time
  - From: specop
- Re: [Wireshark-users] Capture start time
  - From: Guy Harris
- Re: [Wireshark-users] Capture start time
  - From: Jaap Keuter

Prev by Date: Re: [Wireshark-users] Capture start time
Next by Date: [Wireshark-users] Upgraded wireshark to 1.2.6 but now old pcap files cannot be read
Previous by thread: Re: [Wireshark-users] Capture start time
Next by thread: [Wireshark-users] WireShark does not find an interface
Index(es):
- Date
- Thread