Systems and methods for associating sessions using (TCP packet-level) timestamps are provided. A collection of data packets received during one or more sessions within a time period may be retrieved. Each packet in the collection may be associated with a unique identifier of a respective session. A skew for a selected session within the time period may be determined based on a rate difference between a respective receiving device clock and a respective sending device clock of at least two data packets associated with the unique identifier of the selected session. The selected session may be associated with a computing device. An uptime may be calculated for each of the retrieved data packets based on the determined skew and respective timestamp information of the data packet. It may be identified as to whether each of the calculated uptimes matches a previously calculated uptime for a packet associated with a previous session or a session that has previously been associated with a selected session. A list of sessions associated with the computing device may be updated based on one or more identified matches between the respective calculated uptime and the previously calculated uptime.