Home page logo

wireshark logo Wireshark mailing list archives

Re: Splitting up large .pcap file results in inconsistent times
From: Guy Harris <guy () alum mit edu>
Date: Wed, 28 Jul 2010 11:15:56 -0700

On Jul 28, 2010, at 9:13 AM, Yida Gao wrote:

So I have a large simulation that is about 600 seconds long. 
I split up the large .pcap file using editcap:

editcap -i 100 Fulltest-1-0.pcap  100seconds.pcap

However, when I open each of the files produced (6 of them), they all start with time 0, and end at around time 99. 
Why aren't the files continuous with the time?

They *are* continuous; you're just displaying them wrong.

In pcap files:

        1) there is *NO* indication of when a capture was started;

        2) each packet has a time stamp, represented as seconds since January 1, 1970, 00:00:00 UTC.

In Wireshark, the time stamp can be displayed as:

        1) an absolute time (for example, "2010-07-28 11:07:00.0000");

        2) a time relative to the first packet in the file (seconds and fractions of a second since that packet);

        3) times relative to the previous packet (captured or displayed).

If you display times relative to the first packet in the file, therefore, *by definition* the first packet will have a 
time stamp of 0, as the number of seconds between a packet and itself is inherently 0.

I would assume the last .pcap file would go from 500 seconds to 600 seconds.

The first file goes from T through T+99, where T is the time stamp - represented as seconds since January 1, 1970, 
00:00:00 UTC - of the first packet in Fulltest-1-0.pcap.  The second file goes from T+100 through T+199, the third file 
goes from T+200 through T+299, the fourth file goes from T+300 through T+399, the fifth file goes from T+400 through 
T+499, and the last file goes from T+500 through T+599.  If by "500 seconds to 600 seconds" you mean "from 500 seconds 
into the simulation to 600 seconds into the simulation", i.e. "from 500 seconds into the simulation through 599 seconds 
into the simulation", that *is* what the last pcap file does.

How can I make the files continuous??

They *are* continuous.

If you mean "how can I view the files so that the times appear continuous", view the time stamps as absolute times, not 
times relative to the first packet in the file.
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]