I am trying to analyze TCP traffic using Wireshark. Currently, I am trying to get a better understanding of the time fields that are provided, namely frame.time_relative and tcp.time_relative.
After reading the documentation and dumping the trace into a JSON file with:
tshark -r trace.raw -T json -e frame.time_relative -e frame.time_delta -e tcp.time_relative -e tcp.time_delta
I get the impression that frame.time_relative and tcp.time_relative are the same. Is that correct? And if so, why do they both exist?
Thanks in advance.
No, they're not the same. According to the documentation, frame.time_relative gives the time since it received the first frame in the packet, whereas tcp.time_relative gives the time since it received the first frame in the TCP session. Since you might have several packets in a TCP session, tcp.time_relative may refer to a prior packet (tcp.time_relative >= frame.time_relative).