• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 239
  • Last Modified:

I need help with analyzing Wireshark captured packets


I need some help with analyzing captured data using Wireshark. What is the difference between large Delta times (“Time” column by selecting View | Time Display Format | Seconds Since Previous Displayed Packet) and  TCP delta time [(“Calculate Conversation Timestamp” setting  (Edit | Preferences | (+) Protocols | TCP)?] And how can I use these filters to troubleshoot a slow network issue?

Thank you.
  • 2
1 Solution
Bill BachPresidentCommented:
Delta Time is the time since the previous displayed packet.  This in the time difference between ANY two packets, and may or may not have any bearing on a specific conversation.  However, if you select a single conversation (right-click/Conversation Filter/TCP), then you will be looking at ONLY those packets from the current conversation, and the numbers should be identical.

You'll see the difference mainly when two conversations are going on at the same time:
0.001  A->B
0.002  C->D
0.003  B->A
0.004  D->C

Notice that the delta time between packets 1 and 2 is 1ms.  However, these packets are completely unrelated, and this in itself is mostly meaningless.  The item with meaning is the time between packets 1 and 3 (and 2 and 4).  These are both 2ms.  Zooming into the conversation, you would see ONLY packets between the two nodes/ports, so Delta Time (displayed) is identical to conversation time.

Personally, I always use the Conversation Filter, so that I can look at just ONE conversation at a time.  This gives me both context and timings together.  When I see a huge jump in the timings, I then remove the filter and see if something else came into the server that would have taken a long time (that might explain the slowness).
petaganayrAuthor Commented:

Thank you for the comment. I think I understood your explanation. I have a few questions:

If the time difference between two conversations is huge but consistent for, let me say, 8 hours, what do you think it is?
What do you mean by "something else came into the server that would have taken a long time?"

Thank you.
petaganayrAuthor Commented:
Great explanation. I understood it believe it or not, it just took me a while because I'm new to analyzing WireShark data. Thank you for the explanation.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now