<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<pre wrap="">Thanks for all your detailed replies! WinPCapīs timestamping method is the best way to do it, because when you are interested on timestamps, then most likely everyone is interested in the relative time between two (consecutive) packets.
If WinPCap would periodically "resync" periodically, it would result in a sudden, absolutely wrong time difference between packets for and after such a resync.
<span
style="font-size: 10.5pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">>Another thing: if the sending and receiving/capturing systems'
>clocks are not synchronized with each other, then how are you measuring the supposed latency between sending and receiving/capturing?
</span>Of course i donīt measure times between different machines.
Going back to my issue, i discovered that my app itself must produce it. Iīm lucky about it, although i donīt understand it right now:
0) most packets were filtered by a dynamic kernel filter
(just "control frames" and some specific audio frames from hardware reach the user mode)
1) a receiving thread just captures and puts packets into some sort of pre-allocated ring buffer
2) a analyzing thread gets packets from the buffer, does some processing and puts the rest
into another queue (more or less "control frames")
3) the main thread processes the rest i.e. processes the commands in the "control frames"
and sends out commands
The analyzing thread is able to send audio frames directly to the sound card.
After some days, the main thread receives answers with increasing delay between sending out commands and receiving the answer from the audio hardware, but audio frames were <i>NOT </i>delayed, therefore it must be some sort of a sync problem between the analyzing and main thread.
In the main thread a look for packets in the idle phase, but at least every 100ms; i wonder how a increasing time drift can cause a latency of several seconds.
I donīt expect an answer, because it looks that itīs not a WinPCap problem, i just write it down to brighten it up for myself a little bit, sorry...
Have a nice day
Helmut
</pre>
<br>
"Fish" (David B. Trout) schrieb:
<blockquote cite="mid:00ab01cb5a45$356b7870$a0426950$@org" type="cite">
<meta http-equiv="Content-Type" content="text/html; ">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Comic Sans MS";
panose-1:3 15 7 2 3 3 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
tt
{mso-style-priority:99;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size: 10.5pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">YET
ANOTHER thought (sorry for the sudden flurry of emails!): WinPCap's
timestamp logic starts out as being identical to the system time but is
then
incremented based on the high performance (CPU) clock. Thus, since the
high
performance clock's frequency <i>can</i> change over time (due to the
CPU being
placed into power-saving mode[1]), the high performance counter
technique that
WinPCap uses to timestamp its captured packets with is <i><u>NOT</u></i>
accurate beyond a short period of time.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10.5pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10.5pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">That
is to say, for a capture session lasting only several
seconds to several minutes (several hours might be pushing it),
WinPCap's
timestamp <i>should</i> be close enough for most purposes.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10.5pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10.5pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">But
for a capture session lasting <i><u>DAYS?!</u></i> Forget
it!<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10.5pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10.5pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">If
WinPCap would periodically "resync" (reinitialize) its
starting base capture time (i.e. its GetSystemTime value), then <i>perhaps</i>
the
resulting timestamps might be reasonably accurate for much, much longer.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10.5pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10.5pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">But
when a capture is started, WinPCap obtains the GetSystemTime
value only once at the start of the capture session and then never ever
again
retrieves it. Instead, it keeps incrementing it internally (more or
less) based
off of the CPU's high performance counter value.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10.5pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10.5pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">I
suppose one <i>possible</i> way of working around this issue
would be to periodically (say, every couple of minutes?) start a new
capture
session and then close the original capture session (so as to not lose
any
packets). Thus the new capture session would, during its WinPCap
initialization,
obtain a new starting/base GetSystemTime value and thus end up
essentially "resyncing"
itself with the operating system clock. That might work.<o:p></o:p></span></p>
<div>
<p class="MsoNormal" style=""><span
style="font-size: 7.5pt; font-family: "Arial","sans-serif";">-- </span><span
style="color: rgb(31, 73, 125);"><br>
</span><span
style="font-size: 13.5pt; font-family: "Arial","sans-serif";">
"</span><b><span
style="font-family: "Arial","sans-serif"; color: green;">Fish</span></b><span
style="font-size: 13.5pt; font-family: "Arial","sans-serif";">"</span><span
style="font-size: 10pt; font-family: "Arial","sans-serif";"> (</span><span
style="font-size: 10pt; font-family: "Comic Sans MS"; color: purple;">David
B.
Trout</span><span
style="font-size: 10pt; font-family: "Arial","sans-serif"; color: rgb(31, 73, 125);">)</span><span
style="color: rgb(31, 73, 125);"> <br>
</span><span
style="font-size: 10pt; font-family: "Verdana","sans-serif"; color: rgb(31, 73, 125);"> </span><span
style="color: rgb(31, 73, 125);"> </span><u><span
style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;"><a class="moz-txt-link-abbreviated" href="mailto:fish@softdevlabs.com">fish@softdevlabs.com</a></span></u><span
style="color: rgb(31, 73, 125);"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size: 10.5pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<div
style="border-style: none none none solid; border-color: -moz-use-text-color -moz-use-text-color -moz-use-text-color blue; border-width: medium medium medium 1.5pt; padding: 0in 0in 0in 4pt;">
<div>
<div
style="border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0in 0in;">
<p class="MsoNormal"><b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif"; color: windowtext;">From:</span></b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif"; color: windowtext;">
<a class="moz-txt-link-abbreviated" href="mailto:winpcap-users-bounces@winpcap.org">winpcap-users-bounces@winpcap.org</a>
[<a class="moz-txt-link-freetext" href="mailto:winpcap-users-bounces@winpcap.org">mailto:winpcap-users-bounces@winpcap.org</a>] <b>On Behalf Of </b>Helmut
Vaupotitsch<br>
<b>Sent:</b> Tuesday, September 14, 2010 9:18 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</a><br>
<b>Subject:</b> [Winpcap-users] timestamping and huge latency<br>
<b>Importance:</b> High<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><tt><span style="font-size: 10pt;">Hi Gianluca
and all
others,</span></tt><span
style="font-size: 10pt; font-family: "Courier New";"><br>
<br>
<tt>I am facing a major latency problem on *long lasting* capture
sessions
which maybe </tt><br>
<tt>has to do with timestamping by the driver, every hint to solve it
is
appreciated:</tt><br>
<br>
<tt>We developed a proprietary protocol to configure, manage and
monitor </tt><br>
<tt>our self-developed hardware, the config software uses WinPCap to
capture
and send raw packets.</tt><br>
<br>
<tt>Everything is working fine, but after some days of continuous
capturing i
face:</tt><br>
<tt>- On some machines, the latency between sending requests and
receiving the
answer </tt><br>
<tt> increases to some seconds (can be up to >30 secs after
capturing
for a week!)</tt><br>
<tt>Closing and re-opening the driver would solve the problem, but i
definitely
need to capture</tt><br>
<tt>for months and longer without interrupt!</tt><br>
<br>
<tt>I know that the driver timestamp is drifting apart from the
System
Time(which can be</tt><br>
<tt>synchronized by e.g. a NTP server), therefore i timestamp the
frames my
myself(which </tt><br>
<tt>is also important if a use timeouts)</tt><br>
<br>
<tt><b>My question is:</b></tt><b><br>
<tt>What could be the reason(s) for huge latency on long lasting
captures?</tt><br>
</b><tt>I know that the latency increases on receiving packets</tt><br>
<tt>Currently i donīt know if sendingīs latency also increases</tt><br>
<tt>Maybe it has something to do with the GetSystemTimeAdjustment
setting?</tt><br>
</span><br>
<span style="font-size: 10pt; font-family: "Courier New";"><br>
<tt>Thanks for reading</tt><br>
<br>
<tt>Best regards from Austria</tt><br>
<tt>Helmut</tt><br>
<br>
</span><br>
Gianluca Varenni schrieb: <o:p></o:p></p>
<pre>The return value of QuerySystemTime and QueryPerformanceCounter is <o:p></o:p></pre>
<pre>synchronized at the beginning of the capture (to compute the offset between <o:p></o:p></pre>
<pre>epoch time and QueryPerformanceCounter), and then the counter and frequency <o:p></o:p></pre>
<pre>returned by QPC are used to compute the number of seconds (and microseconds) <o:p></o:p></pre>
<pre>and added to the offset.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>The timestamping code is available in the source code of WinPcap, <o:p></o:p></pre>
<pre>winpcap\packetntx\driver\time_calls.h<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Have a nice day<o:p></o:p></pre>
<pre>GV<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre><o:p> </o:p></pre>
<pre><o:p> </o:p></pre>
<pre>--------------------------------------------------<o:p></o:p></pre>
<pre>From: "Jan Martinec" <a moz-do-not-send="true"
href="mailto:martij12@fel.cvut.cz"><martij12@fel.cvut.cz></a><o:p></o:p></pre>
<pre>Sent: Tuesday, September 14, 2010 7:23 AM<o:p></o:p></pre>
<pre>To: <a moz-do-not-send="true"
href="mailto:winpcap-users@winpcap.org"><winpcap-users@winpcap.org></a><o:p></o:p></pre>
<pre>Subject: [Winpcap-users] timestamp<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre> <o:p></o:p></pre>
<blockquote style="margin-top: 5pt; margin-bottom: 5pt;">
<pre>Hello!<o:p></o:p></pre>
<pre>I've got a question about timestamping method. I know that a timestamp<o:p></o:p></pre>
<pre>is got using method QueryPerformanceCounter (resp.<o:p></o:p></pre>
<pre>keQueryPerformanceCounter), which is a number of ticks of Performance<o:p></o:p></pre>
<pre>counter. But timestamp is by Winpcap returned in "Seconds since Epoch"<o:p></o:p></pre>
<pre>format. So how is the recomputation done?<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Thank you very much<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Best regards,<o:p></o:p></pre>
<pre>Jan Martinec<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre><o:p> </o:p></pre>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Winpcap-users mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true"
href="mailto:Winpcap-users@winpcap.org">Winpcap-users@winpcap.org</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true"
href="https://www.winpcap.org/mailman/listinfo/winpcap-users">https://www.winpcap.org/mailman/listinfo/winpcap-users</a> <o:p></o:p></pre>
<pre> <o:p></o:p></pre>
</blockquote>
<pre><o:p> </o:p></pre>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Winpcap-users mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:Winpcap-users@winpcap.org">Winpcap-users@winpcap.org</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true"
href="https://www.winpcap.org/mailman/listinfo/winpcap-users">https://www.winpcap.org/mailman/listinfo/winpcap-users</a><o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre wrap=""> <o:p></o:p>
<hr size="4" width="90%">
_______________________________________________
Winpcap-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Winpcap-users@winpcap.org">Winpcap-users@winpcap.org</a>
<a class="moz-txt-link-freetext" href="https://www.winpcap.org/mailman/listinfo/winpcap-users">https://www.winpcap.org/mailman/listinfo/winpcap-users</a>
</pre>
</div>
</div>
</blockquote>
</body>
</html>