How do I see absolute time stamps in Wireshark?
21,107
Solution 1
(from comment)
A pcap file (from tcpdump or wireshark or AFAIK anything else using libpcap) already has absolute time; it's only the Wireshark display you need to adjust.
In the View menu click Time Display Format and choose one of the Time of Day options.
Solution 2
tcpdump has its own timestump options for.
-t
Don't print a timestamp on each dump line.
-tt
Print the timestamp, as seconds since January 1, 1970, 00:00:00, UTC, and fractions of a second since that time, on each dump line.
-ttt
Print a delta (micro-second resolution) between current and previous line on each dump line.
-tttt
Print a timestamp, as hours, minutes, seconds, and fractions of a second since midnight, preceded by the date, on each dump line.
-ttttt
Print a delta (micro-second resolution) between current and first line on each dump line.
More info you can find at tcpdump manpage.
Related videos on Youtube
10 : 38
Learn Wireshark in 10 minutes - Wireshark Tutorial for Beginners
00 : 17
Determining Timestamp in wireshark
04 : 15
Wireshark - Using the Time Column
05 : 23
WireShark : Time Stamp and Time Value
01 : 59
DevOps & SysAdmins: How do I see absolute time stamps in Wireshark? (2 Solutions!!)
Author by
user1700494
Updated on September 18, 2022Comments
-
user1700494 over 1 year
There is an example of
pcapfile opened inwireshark
The second column is time. Is it possible to see absolute timestamps here instead of relative?
-
dave_thompson_085 about 8 yearsIn the
Viewmenu clickTime Display Formatand choose one of theTime of Dayoptions. (The file is already fine.) -
Admin about 8 years@dave_thompson_085 Could you please submit your comment as an answer? It's the correct answer to the question.
-
