Network Analysis Using Wireshark 2 Cookbook(Second Edition)
上QQ阅读APP看书,第一时间看更新

There's more...

In cases where the capture time is important, and you wish to capture data on one interface or more, and you want to be time-synchronized with the server you are monitoring, you can use Network Time Protocol (NTP) for this purpose, and synchronize your Wireshark and the monitored servers with a central time source.

This is important in cases where you want to go through the Wireshark capture file in parallel to a server log file, and look for events that are shown on both. For example, if you see retransmissions in the capture file at the same time as a server or application error on the monitored server, then you will know that the retransmissions are because of server errors and not because of the network.

The Wireshark software takes its time from the OS clock (Windows, Linux, and so on). To configure the OS to work with a time server, go to the relevant manuals of the operating system that you work with.

In Microsoft Windows 7, configure it as follows:

  1. Go to Control Panel
  2. Choose Clock, Language, and Region
  3. Under Date and Time, Choose Set the time and date. Change to the Internet time tab
  4. Click on the Change Settings button
  5. Change the server name or IP address
In Microsoft Windows 7 and later, there is a default setting for the time server. As long as all devices are tuned to it, you can use it like any other time server.

NTP is a network protocol used for time synchronization. When you configure your network devices (routers, switches, fws, and so on) and servers to the same time source, they will be time synchronized to this source. The accuracy of the synchronization depends on the accuracy of the time server that is measured in levels or stratum. The higher the level is, it will be more accurate. Level 1 is the highest. The higher the level, the lower the accuracy. Usually you will have level 2 to 4.

NTP was first standardized in RFC 1059 (NTPv1) and then in RFC 1119 (NTPv2). The common versions in the last few years are NTPv3 (RFC1305) and NTPv4 (RFC 5905).

You can get a list of NTP servers on various websites, some of them are: http://support.ntp.org/bin/view/Servers/StratumOneTimeServers And http://wpollock.com/AUnix2/NTPstratum1PublicServers.htm