Timestamping in live capture

If capture is done in Wireshark with “Enable timestamps in live capture” option (in the ProfiShark Manager) enabled, Ethernet packets are captured by ProfiShark with a special header. Wireshark needs a plugin (dissector) to be able to interpret this header. This is the only way to have hardware generated timestamp with frames captured by Wireshark.

The screenshot shows the raw frames + ProfiShark timestamp header (uninterpreted). The low resolution of the timestamp (ms) can be noticed. This timestamp is software generated by the capture driver.

The dissector file must be placed in the Wireshark's plugin folder. This is a one-time operation, once installed the dissector must be configured in Wireshark. Once configured the dissector plugin auto recognizes the Profishark header, if present.

The dissector configuration is available in Edit→Preferences→Protocols→ProfiShark.

Once installed and configured, the packets are dissected properly and a new ProfiShark header appears in the protocol tree. The header contains the hardware timestamp, the captured length and the packet length (which can be different, if slicing is enabled or CRC32 is removed) and the TAP port (A or B). The time displayed is now with high resolution and the delays between packets are exact. The extra header doesn't interfere with other protocols dissection.

The previous timestamp format (on the old black versions) was placed after the packet payload and it had three main disadvantages:

  1. It interfered with some protocol dissectors
  2. It was impossible to auto-detect the presence of ProfiShark's header
  3. It didn't have the size nor the interface information

The previous format has been replaced by this new format, in the blue labeled ProfiShark. However, the dissector plugin can still be configured to support the old timestamp format.

Limitation: When the “timestamp in live capture” option is enabled, the capture filter might be inoperable in Wireshark.

  • Last modified: July 9, 2021