Wireshark-users: Re: [Wireshark-users] Time synchronization for capturing packets
From: Stephen Fisher <[email protected]>
Date: Thu, 25 Aug 2011 13:07:33 -0600
On Thu, Aug 25, 2011 at 11:30:09AM +0200, Bartosz Kiziukiewicz wrote:

> I'm using two or more separate Windows machines for capturing traffic 
> in a few network points. The problem is that every machine has a 
> different RTC time (even if the difference is a few seconds). That 
> complicates the correct correlation of traffic dumps.

You can modify timestamps in capture files using the editcap command 
line utility.  In the most recent development versions of Wireshark 
(http://www.wireshark.org/download/automated/), there is a new feature 
under the Edit menu called "Time Shift" that has various choices for 
modifying the timestamps of packets:

	Shift all packets / Time offset

	Set (one) packet to time

	Set packets to time and extrapolate