Wireshark - 1.0 Betriebsanweisung Seite 151
- Seite / 284
- Inhaltsverzeichnis
- LESEZEICHEN
Bewertet. / 5. Basierend auf Kundenbewertungen
7.4. Time Stamps
Time stamps, their precisions and all that can be quite confusing. This section will provide you with
information about what's going on while Wireshark processes time stamps.
While packets are captured, each packet is time stamped as it comes in. These time stamps will be
saved to the capture file, so they also will be available for (later) analysis.
So where do these time stamps come from? While capturing, Wireshark gets the time stamps from
the libpcap (WinPcap) library, which in turn gets them from the operating system kernel. If the cap-
ture data is loaded from a capture file, Wireshark obviously gets the data from that file.
7.4.1. Wireshark internals
The internal format that Wireshark uses to keep a packet time stamp consists of the date (in days
since 1.1.1970) and the time of day (in nanoseconds since midnight). You can adjust the way Wire-
shark displays the time stamp data in the packet list, see the "Time Display Format" item in the Sec-
tion 3.7, “The "View" menu” for details.
While reading or writing capture files, Wireshark converts the time stamp data between the capture
file format and the internal format as required.
While capturing, Wireshark uses the libpcap (WinPcap) capture library which supports microsecond
resolution. Unless you are working with specialized capturing hardware, this resolution should be
adequate.
7.4.2. Capture file formats
Every capture file format that Wireshark knows supports time stamps. The time stamp precision
supported by a specific capture file format differs widely and varies from one second "0" to one
nanosecond "0.123456789". Most file formats store the time stamps with a fixed precision (e.g. mi-
croseconds), while some file formats are even capable of storing the time stamp precision itself
(whatever the benefit may be).
The common libpcap capture file format that is used by Wireshark (and a lot of other tools) supports
a fixed microsecond resolution "0.123456" only.
Note!
Writing data into a capture file format that doesn't provide the capability to store the
actual precision will lead to loss of information. Example: If you load a capture file
with nanosecond resolution and store the capture data to a libpcap file (with micro-
second resolution) Wireshark obviously must reduce the precision from nanosecond to
microsecond.
7.4.3. Accuracy
It's often asked: "Which time stamp accuracy is provided by Wireshark?". Well, Wireshark doesn't
create any time stamps itself but simply gets them from "somewhere else" and displays them. So ac-
curacy will depend on the capture system (operating system, performance, ...) that you use. Because
of this, the above question is difficult to answer in a general way.
Note!
USB connected network adapters often provide a very bad time stamp accuracy. The
incoming packets have to take "a long and winding road" to travel through the USB
cable until they actually reach the kernel. As the incoming packets are time stamped
when they are processed by the kernel, this time stamping mechanism becomes very
Advanced Topics
136
- Wireshark User's Guide 1
- Table of Contents 4
- 1. Foreword 9
- 3. Acknowledgements 11
- 4. About this document 12
- Chapter 1. Introduction 16
- 1.1.6. Many protocol decoders 17
- 1.1.7. Open Source Software 17
- 1.1.8. What Wireshark is not 18
- 1.2. System Requirements 19
- 1.2.3. Unix / Linux 20
- 1.3. Where to get Wireshark? 21
- Wireshark 23
- 1.6.1. Website 24
- 1.6.2. Wiki 24
- 1.6.3. FAQ 24
- 1.6.4. Mailing Lists 24
- 1.6.5. Reporting Problems 25
- Introduction 27
- Download all required files! 29
- 2.8.1. Install Wireshark 36
- 2.8.1.4. Command line options 37
- 2.8.3. Update Wireshark 38
- 2.8.4. Update WinPcap 38
- 2.8.5. Uninstall Wireshark 38
- 2.8.6. Uninstall WinPcap 39
- Chapter 3. User Interface 41
- 3.2. Start Wireshark 42
- 3.3. The Main window 43
- 3.3.1. Main Window Navigation 44
- 3.4. The Menu 45
- Table 3.2. File menu items 46
- Table 3.3. Edit menu items 49
- Table 3.4. View menu items 51
- 3.8. The "Go" menu 55
- Table 3.6. Capture menu items 57
- Table 3.7. Analyze menu items 59
- Table 3.9. Tools menu items 64
- Table 3.10. Help menu items 65
- 3.19. The Statusbar 74
- User Interface 76
- 4.1. Introduction 77
- 4.2. Prerequisites 78
- 4.3. Start Capturing 79
- 4.5.1. Capture frame 82
- 4.5.2. Capture File(s) frame 84
- 4.5.3. Stop Capture... frame 84
- 4.5.4. Display Options frame 85
- 4.5.5. Name Resolution frame 85
- 4.5.6. Buttons 85
- Microsoft Windows only 86
- 4.8. Link-layer header type 89
- Capturing Live Network Data 92
- Printing 96
- 5.2. Open capture files 97
- 5.2.2. Input File Formats 99
- 5.3. Saving captured packets 101
- 5.3.2. Output File Formats 103
- 5.4. Merging capture files 105
- 5.5. File Sets 107
- 5.6. Exporting data 109
- File" dialog box 110
- 5.7. Printing packets 115
- 5.8. The Packet Range frame 117
- 5.9. The Packet Format frame 118
- Working with captured packets 121
- 6.2. Pop-up menus 122
- 6.4.1. Display filter fields 129
- 6.4.2. Comparing values 129
- 6.4.3. Combining expressions 131
- 6.4.4. A common mistake 132
- Warning! 135
- 6.8. Finding packets 138
- 6.9. Go to a specific packet 140
- 6.10. Marking packets 141
- Chapter 7. Advanced Topics 145
- 7.2. Following TCP streams 146
- 7.3. Expert Infos 148
- 7.3.1.3. Protocol 149
- 7.3.1.4. Summary 149
- 7.3.2.2. Details tab 150
- 7.4. Time Stamps 151
- 7.5. Time Zones 153
- 7.6. Packet Reassembling 156
- 7.7. Name Resolution 158
- 7.8. Checksums 160
- 7.8.2. Checksum offloading 161
- Advanced Topics 162
- Chapter 8. Statistics 163
- Statistics 164
- 8.4. Conversations 168
- 8.5. Endpoints 170
- 8.7. WLAN Traffic Statistics 174
- 8.8. Service Response Time 175
- 9.1. Introduction 179
- Customizing Wireshark 185
- 9.3. Packet colorization 186
- 9.4.2. User Specified Decodes 191
- 9.5. Preferences 193
- 9.5.1. Interface Options 194
- 9.6. Configuration Profiles 195
- Used as a folder name 196
- Illegal characters 196
- 9.7. User Table 198
- 9.8. Display Filter Macros 199
- 9.9. GeoIP Database Paths 200
- 9.11. SCCP users Table 202
- 9.13. SMI (MIB and PIB) Paths 204
- 9.14. SNMP users Table 205
- 10.1. Introduction 208
- Lua Support in Wireshark 209
- 10.4.1. Saving capture files 211
- 10.4.1.2. PseudoHeader 212
- 10.4.2.1. Field 213
- 10.4.2.2. FieldInfo 214
- 10.4.3. GUI support 215
- 10.4.3.2. TextWindow 216
- 10.4.3.3.1. gui_enabled() 218
- 10.4.3.3.4. retap_packets() 219
- 10.4.4.1. Listener 220
- 10.4.5.1. Address 221
- 10.4.5.2. Column 222
- 10.4.5.3. Columns 222
- 10.4.5.4. Pinfo 223
- 10.4.6.1. Dissector 225
- 10.4.6.2. DissectorTable 225
- 10.4.6.3. Pref 227
- 10.4.6.4. Prefs 228
- 10.4.6.5. Proto 229
- 10.4.6.6. ProtoField 229
- 10.4.7.1. TreeItem 237
- 10.4.8.1. ByteArray 238
- 10.4.8.2. Int 240
- 10.4.8.3. Tvb 240
- 10.4.8.4. TvbRange 241
- 10.4.8.5. UInt 243
- 10.4.9. Utility Functions 244
- 10.4.9.2.10. dofile(filename) 246
- Appendix A. Files and Folders 248
- Files and Folders 249
- • the current display filter 249
- Windows folders 251
- Unix/Linux folders 251
- C0.A8.2C.00 HR 254
- 00:00:BE:EF IT_Server1 254
- 110f FileServer3 254
- C.1. Packet List Messages 259
- C.2. Packet Details Messages 260
- Wireshark Messages 261
- D.1. Introduction 262
- Related command line tools 263
- CORBA IDL files 276
- D.9.4. TODO 278
- D.9.5. Limitations 278
- D.9.6. Notes 278
© 2020, manymanuals.de. Alle Rechte vorbehalten. | 1.125 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Kommentare zu diesen Handbüchern