Wireshark-users: Re: [Wireshark-users] Time synchronization for capturing packets

From: Graham Bloice <graham.bloice@xxxxxxxxxxxxx>
Date: Thu, 25 Aug 2011 10:56:38 +0100

On 25/08/2011 10:30, Bartosz Kiziukiewicz wrote:
> Hi,
>
> I was wondering what would be the best solution for solving following problem.
>
> I'm using two or more separate Windows machines for capturing traffic in a
> few network points.
> The problem is that every machine has a different RTC time (even if the
> difference is a few seconds).
> That complicates the correct correlation of traffic dumps.
>
> What would be the best way to solve it?
>
> I was thinking about some external time synchronization between machines.
> However that would require additional network wiring and a separate NIC to
> do this.
> Also it would require to run some local SNTP software.
> My concern also is that it will not allow a precise enough synchronization
> due to the nature of Windows OS.
>
> As I recall, the timestamp of the pcap packet is given by the WinPcap
> driver, not the Wireshark itself.
>
> Are there any other, better ways to do it?
>
>
Windows has built-in facilities to synchronise the time between machines. 
Have a look at what the w32tm executable can do for you:
http://technet.microsoft.com/en-us/library/w32tm%28WS.10%29.aspx

Later versions of windows add more functionality to the command. 

-- 
Regards,

Graham Bloice