Manualshelf

User Guide

ManualsBrandsWireshark ManualsSoftwareWireshark Wireshark - 1.5
121122123124125126127128129130
Advanced Topics
115
The protocol field causing an expert info is colorized, e.g. uses a cyan background for a note severity
level. This color is propagated to the toplevel protocol item in the tree, so it's easy to find the field that
caused the expert info.
For the example screenshot above, the IP "Time to live" value is very low (only 1), so the corresponding
protocol field is marked with a cyan background. To easier find that item in the packet tree, the IP protocol
toplevel item is marked cyan as well.
7.3.4. "Expert" Packet List Column (optional)
An optional "Expert Info Severity" packet list column is available (since SVN 22387 # 0.99.7), that
displays the most significant severity of a packet, or stays empty if everything seems ok. This column
is not displayed by default, but can be easily added using the Preferences Columns page described in
Section 10.5, “Preferences”.
7.4. Time Stamps
Time stamps, their precisions and all that can be quite confusing. This section will provide you with
information about what's going on while Wireshark processes time stamps.
While packets are captured, each packet is time stamped as it comes in. These time stamps will be saved
to the capture file, so they also will be available for (later) analysis.
So where do these time stamps come from? While capturing, Wireshark gets the time stamps from the
libpcap (WinPcap) library, which in turn gets them from the operating system kernel. If the capture data
is loaded from a capture file, Wireshark obviously gets the data from that file.
7.4.1. Wireshark internals
The internal format that Wireshark uses to keep a packet time stamp consists of the date (in days since
1.1.1970) and the time of day (in nanoseconds since midnight). You can adjust the way Wireshark displays
the time stamp data in the packet list, see the "Time Display Format" item in the Section 3.7, “The "View"
menu” for details.
While reading or writing capture files, Wireshark converts the time stamp data between the capture file
format and the internal format as required.
While capturing, Wireshark uses the libpcap (WinPcap) capture library which supports microsecond
resolution. Unless you are working with specialized capturing hardware, this resolution should be
adequate.