3

There is an example of pcap file opened in wireshark enter image description here

The second column is time. Is it possible to see absolute timestamps here instead of relative?

user1700494
  • 1,642
  • 2
  • 12
  • 21
  • 2
    In the `View` menu click `Time Display Format` and choose one of the `Time of Day` options. (The file is already fine.) – dave_thompson_085 Apr 25 '16 at 14:32
  • 1
    @dave_thompson_085 Could you please submit your comment as an answer? It's the correct answer to the question. –  Apr 25 '16 at 19:04

2 Answers2

4

(from comment)

A pcap file (from tcpdump or wireshark or AFAIK anything else using libpcap) already has absolute time; it's only the Wireshark display you need to adjust.

In the View menu click Time Display Format and choose one of the Time of Day options.

dave_thompson_085
  • 3,262
  • 1
  • 16
  • 16
2

tcpdump has its own timestump options for.

-t
    Don't print a timestamp on each dump line. 
-tt
    Print the timestamp, as seconds since January 1, 1970, 00:00:00, UTC, and fractions of a second since that time, on each dump line. 
-ttt
    Print a delta (micro-second resolution) between current and previous line on each dump line. 
-tttt
    Print a timestamp, as hours, minutes, seconds, and fractions of a second since midnight, preceded by the date, on each dump line. 
-ttttt
    Print a delta (micro-second resolution) between current and first line on each dump line.

More info you can find at tcpdump manpage.

Anton Makovetsky
  • 361
  • 1
  • 8