<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:v =
"urn:schemas-microsoft-com:vml" xmlns:o =
"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word" xmlns:x =
"urn:schemas-microsoft-com:office:excel" xmlns:p =
"urn:schemas-microsoft-com:office:powerpoint" xmlns:a =
"urn:schemas-microsoft-com:office:access" xmlns:dt =
"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s =
"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs =
"urn:schemas-microsoft-com:rowset" xmlns:z = "#RowsetSchema" xmlns:b =
"urn:schemas-microsoft-com:office:publisher" xmlns:ss =
"urn:schemas-microsoft-com:office:spreadsheet" xmlns:c =
"urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:oa =
"urn:schemas-microsoft-com:office:activation" xmlns:html =
"http://www.w3.org/TR/REC-html40" xmlns:q =
"http://schemas.xmlsoap.org/soap/envelope/" XMLNS:D = "DAV:" xmlns:x2 =
"http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ois =
"http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir =
"http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds =
"http://www.w3.org/2000/09/xmldsig#" xmlns:dsp =
"http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc =
"http://schemas.microsoft.com/data/udc" xmlns:xsd =
"http://www.w3.org/2001/XMLSchema" xmlns:sub =
"http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec =
"http://www.w3.org/2001/04/xmlenc#" xmlns:sp =
"http://schemas.microsoft.com/sharepoint/" xmlns:sps =
"http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi =
"http://www.w3.org/2001/XMLSchema-instance" xmlns:udcxf =
"http://schemas.microsoft.com/data/udc/xmlfile" xmlns:wf =
"http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:mver =
"http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m =
"http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels =
"http://schemas.openxmlformats.org/package/2006/relationships" xmlns:ex12t =
"http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m =
"http://schemas.microsoft.com/exchange/services/2006/messages" XMLNS:Z =
"urn:schemas-microsoft-com:"><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.16640" name=GENERATOR><!--[if !mso]>
<STYLE>v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
</STYLE>
<![endif]-->
<STYLE>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</STYLE>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></HEAD>
<BODY lang=EN-US vLink=purple link=blue bgColor=white>
<DIV><FONT size=2>In this case I would probably modify the WinPcap driver to
return the original timestamps returned by QueryPerformanceCounter so that
computing such difference gives meaningful results. </FONT></DIV>
<DIV><FONT size=2>Recompiling the driver is not too difficult, what you need is
the windows driver kit (WDK) available at connect.microsoft.com. The only
problem you might encounter is if you need to run your custom compiled driver on
Vista x64 or Win2008 x64 (in this case the driver must be signed in order for
the OS to load it).</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>Have a nice day</FONT></DIV>
<DIV><FONT size=2>GV</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>PS: please always reply to the mailing list alias, and not to
me directly, thanks.</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2></FONT> </DIV>
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=Alex.Foygel@tradingtechnologies.com
href="mailto:Alex.Foygel@tradingtechnologies.com">Alex Foygel (TT)</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A
title=gianluca.varenni@cacetech.com
href="mailto:gianluca.varenni@cacetech.com">Gianluca Varenni</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Tuesday, April 22, 2008 6:15
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> RE: [Winpcap-users] Timestamp
accuracy question</DIV>
<DIV><BR></DIV>
<DIV class=Section1>
<P class=MsoNormal><SPAN style="COLOR: #1f497d">The transmitter and the
receiver are on the same box; the transmitter can imbed high-resolution
timestamps (based on QueryPerformanceCounter) into the
messages.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d">So, if I were able to extract
timestamps (set by the driver) from pcap raw file, which are also based on the
values returned by QueryPerformanceCounter, I would be able to calculate the
time difference (propagation delay that I’m looking at). In that case, the
clock drift or clock adjustments would not matter.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d">Thanks,<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d">Alex
Foygel<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<DIV>
<DIV
style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; PADDING-LEFT: 0in; PADDING-BOTTOM: 0in; BORDER-LEFT: medium none; PADDING-TOP: 3pt; BORDER-BOTTOM: medium none">
<P class=MsoNormal><B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">From:</SPAN></B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">
winpcap-users-bounces@winpcap.org [mailto:winpcap-users-bounces@winpcap.org]
<B>On Behalf Of </B>Gianluca Varenni<BR><B>Sent:</B> Monday, April 21, 2008
7:56 PM<BR><B>To:</B> winpcap-users@winpcap.org<BR><B>Subject:</B> Re:
[Winpcap-users] Timestamp accuracy question<o:p></o:p></SPAN></P></DIV></DIV>
<P class=MsoNormal><o:p> </o:p></P>
<DIV>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"> <o:p></o:p></SPAN></P></DIV>
<BLOCKQUOTE
style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: medium none; PADDING-LEFT: 4pt; PADDING-BOTTOM: 0in; MARGIN: 5pt 0in 5pt 3.75pt; BORDER-LEFT: black 1.5pt solid; PADDING-TOP: 0in; BORDER-BOTTOM: medium none">
<DIV>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">----- Original
Message ----- <o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal style="BACKGROUND: #e4e4e4"><B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">From:</SPAN></B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'"> <A
title=Alex.Foygel@tradingtechnologies.com
href="mailto:Alex.Foygel@tradingtechnologies.com">Alex Foygel (TT)</A>
<o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">To:</SPAN></B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'"> <A
title=winpcap-users@winpcap.org
href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</A>
<o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Sent:</SPAN></B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'"> Monday, April
21, 2008 8:02 AM<o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Subject:</SPAN></B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'"> [Winpcap-users]
Timestamp accuracy question<o:p></o:p></SPAN></P></DIV>
<DIV>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p> </o:p></SPAN></P></DIV>
<P class=MsoNormal>What is the <B>absolute</B> accuracy of the individual
packets’ timestamps? As far as I understand, the relative accuracy (one
packet relative to another packet captured within the same capture session)
is 1 microsecond (aside from the issues with SMP, etc.).<o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>But the absolute accuracy, if I understand the code
correctly, seems to be in the order of milliseconds. The code (time_calls.h)
uses KeQuerySystemTime() to get the system time and to calculate the offset
between the system time and the high-resolution values returned by
KeQueryPerformanceCounter().<o:p></o:p></P>
<P class=MsoNormal> <o:p></o:p></P>
<P class=MsoNormal>According to the documentation, even though
KeQuerySystemTime() returns the timestamps in 100 nanoseconds units, it’s
being updated once every 10 milliseconds. Thus, depending on when during the
10 ms cycle the Synchronize code ran, the offset calculated by the above
mentioned code can be up to 10 ms off.<o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>Is my interpretation of the code correct?<o:p></o:p></P>
<P class=MsoNormal> <o:p></o:p></P></BLOCKQUOTE>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">Yes.<o:p></o:p></SPAN></P>
<BLOCKQUOTE
style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: medium none; PADDING-LEFT: 4pt; PADDING-BOTTOM: 0in; MARGIN: 5pt 0in 5pt 3.75pt; BORDER-LEFT: black 1.5pt solid; PADDING-TOP: 0in; BORDER-BOTTOM: medium none">
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>A simple way of fixing this problem (if it’s a problem at
all) seems to be to run KeQuerySystemTime() in a tight loop until the value
returned changes (this should take at most 10 ms because that’s how often
the system time is updated) and then use the new value to calculate the
offset. Am I oversimplifying the problem?<o:p></o:p></P>
<P class=MsoNormal> <o:p></o:p></P></BLOCKQUOTE>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">It could work. Please
consider that this is just the top of an iceberg. This would fix the 10ms
issue, but there are other factors that influence the absolute accuracy of
timestamps. In particular, KeQueryPerformanceTimer is not influenced by any
time adjustment made on the system clock (e.g. from an NTP server), it's a
sort of free running counter.</SPAN><o:p></o:p></P>
<BLOCKQUOTE
style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: medium none; PADDING-LEFT: 4pt; PADDING-BOTTOM: 0in; MARGIN: 5pt 0in 5pt 3.75pt; BORDER-LEFT: black 1.5pt solid; PADDING-TOP: 0in; BORDER-BOTTOM: medium none">
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>The reason I’m asking the question is because I’m trying
to understand whether I can compare the timestamps imbedded by my
application in my messages with the timestamps captured by winpcap, to
check the time it takes for my packets to get from the application code
(through all the layers, including the network stack) to the NDIS layer when
it gets captured by winpcap.<o:p></o:p></P></BLOCKQUOTE>
<P class=MsoNormal> <o:p></o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">That can be a tough
problem. What is the exact scenario you are using? Are the transmitter and the
receiver on the same machine?</SPAN><o:p></o:p></P>
<P class=MsoNormal> <o:p></o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">Have a nice
day</SPAN><o:p></o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">GV</SPAN><o:p></o:p></P>
<BLOCKQUOTE
style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: medium none; PADDING-LEFT: 4pt; PADDING-BOTTOM: 0in; MARGIN: 5pt 0in 5pt 3.75pt; BORDER-LEFT: black 1.5pt solid; PADDING-TOP: 0in; BORDER-BOTTOM: medium none">
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>Thank you for your help,<o:p></o:p></P>
<P class=MsoNormal>Alex Foygel<o:p></o:p></P>
<DIV class=MsoNormal style="TEXT-ALIGN: center" align=center><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'">
<HR align=center width="100%" SIZE=2>
</SPAN></DIV>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'">_______________________________________________<BR>Winpcap-users
mailing
list<BR>Winpcap-users@winpcap.org<BR>https://www.winpcap.org/mailman/listinfo/winpcap-users<o:p></o:p></SPAN></P></BLOCKQUOTE></DIV></BLOCKQUOTE></BODY></HTML>