Fixing Wireshark Timestamps

posted in: Tutorial, Wireshark | 0

Wireshark timestamps can be very confusing and frustrating.  Sometimes they are dead on and other times you look at the interface and question why Wireshark even bothers to have timestamps.  I think it’s important to understand how Wireshark captures these timestamps before we dive in to how to fix them.  Firstly, wireshark does not generate the timestamps on it’s own; according to the manual, the timestamps are retrieved from the capturing computers kernel.  Therefore if the time is incorrect on the capturing host, the timestamps in the pcap file will be incorrect as well.  Secondly, it’s important to understand how the time is saved in the pcap file; again according to the manual, the timestamp is stored in days since the epoch (January 1st 1970) and milliseconds since midnight.  The time is also stored in Coordinated Universal Time or UTC.

The fact that the timestamps are stored in UTC may be the cause of many of the problems that people face.  You see timezones are not represented in wireshark so you need to tell the application what the offset from UTC is.  For example if the packet capture was taken on the east coast of the United States then you would need to subtract 5 hours from UTC to get the correct time.  This is easily done in wireshark.  Open the packet capture file and click on the Edit Menu > Time Shift.

Wireshark Edit Menu

This will bring up a menu that will allow you to put in an offset for all packets in hours, minutes, days, etc.  This menu will also allow you to set a specific packet to a specific timestamp and have wireshark extrapolate the timestamps of the rest of the packets.

Wireshark Timeshift Menu

So, that is the quick tutorial on how to fix timestamps within wireshark.  A few tips to remember when capturing packets where time is important.  Firstly, if you travel around the world and use wireshark, make sure that you don’t change the time on your computer.  The best practice is to change the timezone.  If you change the time, then all the packets will record their time in UTC, however the UTC time will be off because you changed the computer time instead of the timezone.  Secondly, if you work with people from around the world and receive packet captures from them for analysis, make sure that you know what timezone the packet capture was taken in.  And finally if you have a full packet capture system, make sure that it receives constant and accurate updates from an internet based time server such as the ones maintained by NIST.

Leave a Reply