[Winpcap-bugs] Timestamp negative offset

Thu Dec 10 09:47:35 PST 2009

See Attached.  Thanks for your help!

-Danny

From: Gianluca Varenni [mailto:gianluca.varenni at cacetech.com] 
Sent: Thursday, December 10, 2009 10:09 AM
To: Daniel Beutler; winpcap-bugs at winpcap.org
Subject: Re: [Winpcap-bugs] Timestamp negative offset

Can you please try this:

1. download debugview from 

http://technet.microsoft.com/en-us/sysinternals/bb896647.aspx

and run it.

2. On a command line, run a sequence of "net stop npf" and "net start npf".

You should see some output in debugview, please send it to me.

GV

----- Original Message ----- 

From: Daniel Beutler <mailto:dannybeutler at gmail.com>  

To: 'Gianluca Varenni' <mailto:gianluca.varenni at cacetech.com>  ;
winpcap-bugs at winpcap.org 

Sent: Wednesday, December 09, 2009 5:33 PM

Subject: Re: [Winpcap-bugs] Timestamp negative offset

The virtual machine host is a windows 2008 server running the VM in Hyper-V.
The Virtual Machine itself has 2 logical processors.

Thanks,
Danny

From: Gianluca Varenni [mailto:gianluca.varenni at cacetech.com] 
Sent: Wednesday, December 09, 2009 5:50 PM
To: Daniel Beutler; winpcap-bugs at winpcap.org
Subject: Re: [Winpcap-bugs] Timestamp negative offset

Does the VM have more than 1 virtual CPU?

Which virtualization technology do you use?

Have a nice day

GV

----- Original Message ----- 

From: Daniel Beutler <mailto:dannybeutler at gmail.com>  

To: winpcap-bugs at winpcap.org 

Sent: Wednesday, December 09, 2009 11:29 AM

Subject: [Winpcap-bugs] Timestamp negative offset

WinPcap version 4.1.1

Windows Server 2003 Service Pack 2

Network Adapters: Microsoft Virtual Machine Bus Network Adapter (This
machine is a VM)

No special or differentiating networking software is installed on the
machine

Problem Description:

Packet timestamps are incorrect.  As you can see in the attached sniff, the
offset from the previous packet is negative for some packets.  I am going to
refer to the attached sniff as I explain this so it may help to have it open
as you read this. Packet #7 shows a negative offset of 7.917526 seconds from
the previous packet. Packet #8 shows a positive offset of 7.988451 from the
previous packet.  It seems as if there is a clock which is behind by about
7.95 seconds which some of the packets (#7,10,17,20,21,23,etc.) are getting
their timestamp from.  The interesting thing is that this 7.95 second gap
widens with system uptime.  For instance, immediately after rebooting the
server, the gap was only .007 seconds.  After system had been up for a few
days the gap was .73 seconds.  Now, after the server has been up 3 weeks,
the gap is almost 8 seconds. When I first noticed the problem the server had
been powered on for over a month and the gap was at 12 seconds.  Needless to
say, this makes reading the packet capture and calculating response times
very difficult.

Please note that this server is a Virtual Machine. 

Thanks,
Danny Beutler

  _____  

_______________________________________________
Winpcap-bugs mailing list
Winpcap-bugs at winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-bugs

  _____  

_______________________________________________
Winpcap-bugs mailing list
Winpcap-bugs at winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-bugs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-bugs/attachments/20091210/1464035e/attachment-0001.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debugviewoutput.LOG
Type: application/octet-stream
Size: 11774 bytes
Desc: not available
Url : http://www.winpcap.org/pipermail/winpcap-bugs/attachments/20091210/1464035e/attachment-0001.obj 