Displaying time - Wireshark Tutorial

- [Instructor] The concept of accurate time on a network is very important. CIS Log audits and logs events which you can use to track problems and troubleshoot issues. In addition, some protocols such as curb rows require synchronized time on the network. Periodically I check my wall clock with a more official source. I'm here at this website, time.gov. And we can take a look over here and it says your clock is off by 1.017 seconds. So now I'm in Wireshark and let's take a look at how we can view time. We'll go to View and a significant sub-menu choice deals with the time display. And I'll go here and we'll just expand this, the time display format. Now in the first couple you can put it in any number of different ways. Date and time of day, year, day of year, and time of day, time of day, and here's one I probably would never use, seconds since January 1st, 1970. Most commonly you'll probably use one of these three. When we're doing an analysis in how would you like the time displayed, seconds since beginning of capture will show you how many seconds that have passed since the capture was started. Now that can be helpful, but in most cases it really won't be able to show you large gaps. Seconds since previously captured packet will show you how many seconds that have passed since the previously captured packet. Now that can help but what generally happens is we do put a filter. And that's why we most likely would use this one, seconds since previously displayed packet. Now this is going to be used when you apply a display filter as it will show many seconds that have passed since the previously displayed packet and will more accurately show gaps in time. Now down below here, this is all precision, and when selecting a format this is going to be how many decimals places will be displayed. In most cases it's just really best to use automatic and this is the default because that will give the best precision the operating system can provide. So now that we know that, we can see the time up here, it is set for seconds since previously displayed packet. So what we can do is I'm going to right click and I'll say follow the TCP stream. And then I want to go to stream 68. The 68 we know has some issues and we can see over here in the intelligence scroll bar we do see some issues and that indicates here the black. Well now where is the trouble happening? Well let's just take a look. If I go to any of these where we see the source 66.220 what I want to do is I want to apply a filter. So I really just want to see the traffic coming from 66.220. So now I already have a filter up there but what I want to do is prepare as a filter and then say and selected. And then I'll press Enter. Now we can actually see the gaps in time. And here is one really big gap in time, 32 seconds. Here's another one, 14 seconds. Now that's indicative of some issues, and as you can see then there's retransmissions and there's been a gap in the transmission. In some way something has happened. So we'll do one more thing and I'll shown you this. I'll go to Statistics and then I'll go to TCP Stream Graphs and we'll do a time sequence graph. And here what it is really going to show you is confirming that nothing is happening for gaps of time. And here you can see that we get a little data transmission and then there's a wait period. Another little data transmission and then wait. And again here. So the whole concept of time is important and it can help you with troubleshooting issues on the network.