<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=windows-1252">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Comic Sans MS";
panose-1:3 15 7 2 3 3 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
tt
{mso-style-priority:99;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=white lang=EN-US link=blue vlink=purple>
<div class=WordSection1>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'>YET ANOTHER thought (sorry for the sudden flurry of emails!): WinPCap's
timestamp logic starts out as being identical to the system time but is then
incremented based on the high performance (CPU) clock. Thus, since the high
performance clock's frequency <i>can</i> change over time (due to the CPU being
placed into power-saving mode[1]), the high performance counter technique that
WinPCap uses to timestamp its captured packets with is <i><u>NOT</u></i>
accurate beyond a short period of time.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'>That is to say, for a capture session lasting only several
seconds to several minutes (several hours might be pushing it), WinPCap's
timestamp <i>should</i> be close enough for most purposes.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'>But for a capture session lasting <i><u>DAYS?!</u></i> Forget
it!<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'>If WinPCap would periodically "resync" (reinitialize) its
starting base capture time (i.e. its GetSystemTime value), then <i>perhaps</i> the
resulting timestamps might be reasonably accurate for much, much longer.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'>But when a capture is started, WinPCap obtains the GetSystemTime
value only once at the start of the capture session and then never ever again
retrieves it. Instead, it keeps incrementing it internally (more or less) based
off of the CPU's high performance counter value.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I suppose one <i>possible</i> way of working around this issue
would be to periodically (say, every couple of minutes?) start a new capture
session and then close the original capture session (so as to not lose any
packets). Thus the new capture session would, during its WinPCap initialization,
obtain a new starting/base GetSystemTime value and thus end up essentially "resyncing"
itself with the operating system clock. That might work.<o:p></o:p></span></p>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:7.5pt;font-family:"Arial","sans-serif"'>-- </span><span
style='color:#1F497D'><br>
</span><span style='font-size:13.5pt;font-family:"Arial","sans-serif"'>
"</span><b><span style='font-family:"Arial","sans-serif";color:green'>Fish</span></b><span
style='font-size:13.5pt;font-family:"Arial","sans-serif"'>"</span><span
style='font-size:10.0pt;font-family:"Arial","sans-serif"'> (</span><span
style='font-size:10.0pt;font-family:"Comic Sans MS";color:purple'>David B.
Trout</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>)</span><span style='color:#1F497D'> <br>
</span><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";
color:#1F497D'> </span><span style='color:#1F497D'> </span><u><span
style='font-size:10.0pt;font-family:"Arial","sans-serif";color:blue'>fish@softdevlabs.com</span></u><span
style='color:#1F497D'><o:p></o:p></span></p>
</div>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:
"Tahoma","sans-serif";color:windowtext'> winpcap-users-bounces@winpcap.org
[mailto:winpcap-users-bounces@winpcap.org] <b>On Behalf Of </b>Helmut
Vaupotitsch<br>
<b>Sent:</b> Tuesday, September 14, 2010 9:18 AM<br>
<b>To:</b> winpcap-users@winpcap.org<br>
<b>Subject:</b> [Winpcap-users] timestamping and huge latency<br>
<b>Importance:</b> High<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><tt><span style='font-size:10.0pt'>Hi Gianluca and all
others,</span></tt><span style='font-size:10.0pt;font-family:"Courier New"'><br>
<br>
<tt>I am facing a major latency problem on *long lasting* capture sessions
which maybe </tt><br>
<tt>has to do with timestamping by the driver, every hint to solve it is
appreciated:</tt><br>
<br>
<tt>We developed a proprietary protocol to configure, manage and monitor </tt><br>
<tt>our self-developed hardware, the config software uses WinPCap to capture
and send raw packets.</tt><br>
<br>
<tt>Everything is working fine, but after some days of continuous capturing i
face:</tt><br>
<tt>- On some machines, the latency between sending requests and receiving the
answer </tt><br>
<tt> increases to some seconds (can be up to >30 secs after capturing
for a week!)</tt><br>
<tt>Closing and re-opening the driver would solve the problem, but i definitely
need to capture</tt><br>
<tt>for months and longer without interrupt!</tt><br>
<br>
<tt>I know that the driver timestamp is drifting apart from the System
Time(which can be</tt><br>
<tt>synchronized by e.g. a NTP server), therefore i timestamp the frames my
myself(which </tt><br>
<tt>is also important if a use timeouts)</tt><br>
<br>
<tt><b>My question is:</b></tt><b><br>
<tt>What could be the reason(s) for huge latency on long lasting captures?</tt><br>
</b><tt>I know that the latency increases on receiving packets</tt><br>
<tt>Currently i don´t know if sending´s latency also increases</tt><br>
<tt>Maybe it has something to do with the GetSystemTimeAdjustment setting?</tt><br>
</span><br>
<span style='font-size:10.0pt;font-family:"Courier New"'><br>
<tt>Thanks for reading</tt><br>
<br>
<tt>Best regards from Austria</tt><br>
<tt>Helmut</tt><br>
<br>
</span><br>
Gianluca Varenni schrieb: <o:p></o:p></p>
<pre>The return value of QuerySystemTime and QueryPerformanceCounter is <o:p></o:p></pre><pre>synchronized at the beginning of the capture (to compute the offset between <o:p></o:p></pre><pre>epoch time and QueryPerformanceCounter), and then the counter and frequency <o:p></o:p></pre><pre>returned by QPC are used to compute the number of seconds (and microseconds) <o:p></o:p></pre><pre>and added to the offset.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>The timestamping code is available in the source code of WinPcap, <o:p></o:p></pre><pre>winpcap\packetntx\driver\time_calls.h<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Have a nice day<o:p></o:p></pre><pre>GV<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>--------------------------------------------------<o:p></o:p></pre><pre>From: "Jan Martinec" <a
href="mailto:martij12@fel.cvut.cz"><martij12@fel.cvut.cz></a><o:p></o:p></pre><pre>Sent: Tuesday, September 14, 2010 7:23 AM<o:p></o:p></pre><pre>To: <a
href="mailto:winpcap-users@winpcap.org"><winpcap-users@winpcap.org></a><o:p></o:p></pre><pre>Subject: [Winpcap-users] timestamp<o:p></o:p></pre><pre><o:p> </o:p></pre><pre> <o:p></o:p></pre>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre>Hello!<o:p></o:p></pre><pre>I've got a question about timestamping method. I know that a timestamp<o:p></o:p></pre><pre>is got using method QueryPerformanceCounter (resp.<o:p></o:p></pre><pre>keQueryPerformanceCounter), which is a number of ticks of Performance<o:p></o:p></pre><pre>counter. But timestamp is by Winpcap returned in "Seconds since Epoch"<o:p></o:p></pre><pre>format. So how is the recomputation done?<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Thank you very much<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Best regards,<o:p></o:p></pre><pre>Jan Martinec<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>_______________________________________________<o:p></o:p></pre><pre>Winpcap-users mailing list<o:p></o:p></pre><pre><a
href="mailto:Winpcap-users@winpcap.org">Winpcap-users@winpcap.org</a><o:p></o:p></pre><pre><a
href="https://www.winpcap.org/mailman/listinfo/winpcap-users">https://www.winpcap.org/mailman/listinfo/winpcap-users</a> <o:p></o:p></pre><pre> <o:p></o:p></pre></blockquote>
<pre><o:p> </o:p></pre><pre>_______________________________________________<o:p></o:p></pre><pre>Winpcap-users mailing list<o:p></o:p></pre><pre><a
href="mailto:Winpcap-users@winpcap.org">Winpcap-users@winpcap.org</a><o:p></o:p></pre><pre><a
href="https://www.winpcap.org/mailman/listinfo/winpcap-users">https://www.winpcap.org/mailman/listinfo/winpcap-users</a><o:p></o:p></pre><pre><o:p> </o:p></pre><pre> <o:p></o:p></pre>
<p class=MsoNormal><br>
<br>
<o:p></o:p></p>
<pre>-- <o:p></o:p></pre><pre>----------------------------------------------------------------<o:p></o:p></pre><pre>Ing. Helmut Vaupotitsch Phone: +43 (0)3133 3780 16<o:p></o:p></pre><pre>ITEC Tontechnik und Fax: +43 (0)3133 3780 9<o:p></o:p></pre><pre>Industrieelektronik GmbH E-mail: <a
href="mailto:hv@itec-audio.com">hv@itec-audio.com</a><o:p></o:p></pre><pre>A-8200 Lassnitzthal 300 URL: <a
href="http://www.itec-audio.com">http://www.itec-audio.com</a><o:p></o:p></pre><pre>----------------------------------------------------------------<o:p></o:p></pre></div>
</div>
</body>
</html>