User Guide

ManualsBrandsWireshark ManualsSoftwareWireshark Wireshark - 1.5

121

122

123

124

125

126

127

128

129

130

Advanced Topics

118

This way you will tell your computer both the local time and also the time offset to UTC.

Tip!

If you travel around the world, it's an often made mistake to adjust the hours of your computer

clock to the local time. Don't adjust the hours but your time zone setting instead! For your

computer, the time is essentially the same as before, you are simply in a different time zone

with a different local time!

Tip!

You can use the Network Time Protocol (NTP) to automatically adjust your computer to the

correct time, by synchronizing it to Internet NTP clock servers. NTP clients are available for

all operating systems that Wireshark supports (and for a lot more), for examples see: http://

www.ntp.org/.

7.5.2. Wireshark and Time Zones

So what's the relationship between Wireshark and time zones anyway?

Wireshark's native capture file format (libpcap format), and some other capture file formats, such as the

Windows Sniffer, EtherPeek, AiroPeek, and Sun snoop formats, save the arrival time of packets as UTC

values. UN*X systems, and "Windows NT based" systems (Windows NT 4.0, 2000, XP, Server 2003,

Vista, Server 2008, 7) represent time internally as UTC. When Wireshark is capturing, no conversion

is necessary. However, if the system time zone is not set correctly, the system's UTC time might not

be correctly set even if the system clock appears to display correct local time. "Windows 9x based"

systems (Windows 95, Windows 98, Windows Me) represent time internally as local time. When capturing,

WinPcap has to convert the time to UTC before supplying it to Wireshark. If the system's time zone is not

set correctly, that conversion will not be done correctly.

Other capture file formats, such as the Microsoft Network Monitor, DOS-based Sniffer, and Network

Instruments Observer formats, save the arrival time of packets as local time values.

Internally to Wireshark, time stamps are represented in UTC; this means that, when reading capture files

that save the arrival time of packets as local time values, Wireshark must convert those local time values

to UTC values.

Wireshark in turn will display the time stamps always in local time. The displaying computer will convert

them from UTC to local time and displays this (local) time. For capture files saving the arrival time of

packets as UTC values, this means that the arrival time will be displayed as the local time in your time

zone, which might not be the same as the arrival time in the time zone in which the packet was captured.

For capture files saving the arrival time of packets as local time values, the conversion to UTC will be

done using your time zone's offset from UTC and DST rules, which means the conversion will not be done

correctly; the conversion back to local time for display might undo this correctly, in which case the arrival

time will be displayed as the arrival time in which the packet was captured.

Table 7.2. Time zone examples for UTC arrival times (without DST)

Los Angeles New York Madrid London Berlin Tokyo

Capture File

(UTC)

10:00 10:00 10:00 10:00 10:00 10:00

Local Offset

to UTC

-8 -5 -1 0 +1 +9