Time is of the essence—especially in packet analysis. Everything that happens on a network is time sensitive, and you will need to examine trends and network latency in nearly every capture file. Unicorn recognizes the importance of time and supplies several configurable options relating to it. In this section, we’ll look at time display formats and references.
Time Display
Unicorn support three time display format, including Absolute Time, Delta Time and Relative Time. Each packet that Unicorn captures is given a timestamp (absolute time), which is applied to the packet by the operating system. Unicorn can show the absolute timestamp indicating the exact moment when the packet was captured, as well as the time in relation to the last captured packet and the beginning and end of the capture. Delta time is the length of time between frames. It reflects the length of time between every frame. The time span between the current packet and the relative packet (if no relative packet is defined, the first packet is the relative packet). It is default settings to only display absolute time, if you want to display other time, click the right button of mouse on packet list header and select column to be displayed.
Figure 4-8: Time display settings
Packet Time Referencing
Packet time referencing allows you to configure a certain packet so that all subsequent time calculations are done in relation to that specific packet. This feature is particularly handy when you are examining a series of sequential events that are triggered somewhere other than the start of the capture file.
To set a time reference to a certain packet, select the reference packet in the Packet List pane, then click the right button of mouse and choose Set Relative Packets.
When you enable a time reference on a particular packet, the Time column in the Packet List pane will display *REF*, as shown in Figure 4-9.
Setting a packet time reference is useful only when the time display format of a capture is set to display the time in relation to the beginning of the capture. Any other setting will produce no usable results and will create a set of times that can be very confusing.
Figure 4-9: A packet with the packet time reference toggle enabled