While packets are captured, each packet is timestamped. These timestamps will be saved to the capture file, so they will be available for later analysis.
A detailed description of timestamps, timezones and alike can be found at: Section 7.6, “Time Stamps”.
The timestamp presentation format and the precision in the packet list can be chosen using the View menu, see Figure 3.5, “The “View” Menu”.
The available presentation formats are:
- Date and Time of Day: 1970-01-01 01:02:03.123456 The absolute date and time of the day when the packet was captured.
- Time of Day: 01:02:03.123456 The absolute time of the day when the packet was captured.
- Seconds Since Beginning of Capture: 123.123456 The time relative to the start of the capture file or the first “Time Reference” before this packet (see Section 6.12.1, “Packet time referencing”).
- Seconds Since Previous Captured Packet: 1.123456 The time relative to the previous captured packet.
- Seconds Since Previous Displayed Packet: 1.123456 The time relative to the previous displayed packet.
- Seconds Since Epoch (1970-01-01): 1234567890.123456 The time relative to epoch (midnight UTC of January 1, 1970).
The available precisions (aka. the number of displayed decimal places) are:
- Automatic The timestamp precision of the loaded capture file format will be used (the default).
- Seconds, Deciseconds, Centiseconds, Milliseconds, Microseconds or Nanoseconds The timestamp precision will be forced to the given setting. If the actually available precision is smaller, zeros will be appended. If the precision is larger, the remaining decimal places will be cut off.
Precision example: If you have a timestamp and it’s displayed using, “Seconds Since Previous Packet”, : the value might be 1.123456. This will be displayed using the “Automatic” setting for libpcap files (which is microseconds). If you use Seconds it would show simply 1 and if you use Nanoseconds it shows 1.123456000.
The user can set time references to packets. A time reference is the starting point for all subsequent packet time calculations. It will be useful, if you want to see the time values relative to a special packet, e.g. the start of a new request. It’s possible to set multiple time references in the capture file.
The time references will not be saved permanently and will be lost when you close the capture file.
Time referencing will only be useful if the time display format is set to “Seconds Since Beginning of Capture”. If one of the other time display formats are used, time referencing will have no effect (and will make no sense either).
To work with time references, choose one of the Time Reference items in the Edit menu or from the pop-up menu of the “Packet List” pane. See Section 3.6, “The “Edit” menu”.
- Set Time Reference (toggle) Toggles the time reference state of the currently selected packet to on or off.
- Find Next Find the next time referenced packet in the “Packet List” pane.
- Find Previous Find the previous time referenced packet in the “Packet List” pane.
A time referenced packet will be marked with the string *REF* in the Time column (see packet number 10). All subsequent packets will show the time since the last time reference.