<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content=text/html;charset=iso-8859-1>
<META content="MSHTML 6.00.6000.16544" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY id=MailContainerBody
style="PADDING-RIGHT: 10px; PADDING-LEFT: 10px; PADDING-TOP: 15px"
bgColor=#ffffff leftMargin=0 topMargin=0 name="Compose message area"
CanvasTabStop="true">
<DIV><FONT size=2>Timestamps are generated by winpcap when the OS
notifies the winpcap driver of the arrival of new packets. This can happen later
than the packet was actually received by the hardware. This is caused by a
feature that all the network cards implement, usually called interrupt
coalescing or interrupt mitigation. In practice the hardware (i.e. the NIC card)
doesn't notify the OS (with an interrupt) for every single received packet.
Packets are batched and the NIC generates a receive interrupt for the OS
(in particular the miniport driver controlling the NIC) only after a certain
number of packets have been received within a certain timeout (in the order of
some microseconds). The effect of this mitigation is that packets are notified
in batches to WinPcap (or to any protocol driver like the TCP/IP one). This
mitigation is done in order not to generate too many interrupts that can badly
affect the performance of a system.</FONT></DIV>
<DIV><FONT size=2>There is no solution to the problem with WinPcap, as normal
network cards and the OS itself have not been designed with packet capture in
mind, but rather with the objective of guaranteeing the best possible
performance. The usual solution is using capture cards that timestamp packets in
hardware. </FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>I hope this explains the phenomenon you are
seeing</FONT></DIV>
<DIV><FONT size=2> </FONT></DIV>
<DIV><FONT size=2>Have a nice day</FONT></DIV>
<DIV><FONT size=2>GV</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>--</FONT></DIV>
<DIV><FONT size=2>Gianluca Varenni, Windows DDK MVP</FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2>CACE Technologies<BR><A
href="http://www.cacetech.com">http://www.cacetech.com</A></FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=claudio.raiti@hotmail.it
href="mailto:claudio.raiti@hotmail.it">Claudio Raiti</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=winpcap-users@winpcap.org
href="mailto:winpcap-users@winpcap.org">Winpcap Users</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Friday, December 07, 2007 11:33
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> [Winpcap-users] Timestamp
reliability</DIV>
<DIV><BR></DIV>
<DIV><FONT face=Arial size=2>Hi,</FONT></DIV>
<DIV><FONT face=Arial size=2>i would like to know how reliable NPF timestamps
are. When i capture the traffic i created with an application using PACKET.DLL
between two notebooks, i note that they are very strange. I've tried to
capture with Wireshark too, but the results are the same. If i measure
interspace time between two consecutive frames, i see very often that the
timestamps indicate a too short interval. For example, wireshark gives me
these two lines:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial
size=2>No. Time Source Destination Protocol Info</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>...</FONT></DIV>
<DIV><FONT face=Arial
size=2>9 0.000911 xxxx ...</FONT></DIV>
<DIV><FONT face=Arial
size=2>10 0.000912 xxx ...</FONT></DIV>
<DIV><FONT face=Arial size=2>...</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>How possible that a frame is arrived after one
usec? The traffic i create is done with a nominal interframe time of 0.01 ms
(that should be over the effective router capacity).</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>I'm using a 802.11N router with PCMCIA wireless
card with atheros chipset AR5008 and Windows XP/Vista on the two
notebooks.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Who can help me?</FONT></DIV>
<P>
<HR>
<P></P>_______________________________________________<BR>Winpcap-users
mailing
list<BR>Winpcap-users@winpcap.org<BR>https://www.winpcap.org/mailman/listinfo/winpcap-users<BR></BLOCKQUOTE></BODY></HTML>