<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I believe you are looking at the timestamps of the packets in wireshark, not when wireshark actually receives the packets from the WinPcap library. They are different. WinPcap timestamps the packets in the driver as soon as they arrive, but for performance reasons, it can deliver them with a certain delay. Are you looking at the timestamps in Wireshark?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Have a nice day<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>GV<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> winpcap-users-bounces@winpcap.org [mailto:winpcap-users-bounces@winpcap.org] <b>On Behalf Of </b>Akif Usman<br><b>Sent:</b> Wednesday, March 16, 2011 2:22 AM<br><b>To:</b> winpcap-users@winpcap.org<br><b>Subject:</b> Re: [Winpcap-users] Winpcap-users Digest, Vol 72, Issue 8<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>Hi,<o:p></o:p></span></p><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>The only thing that amazes me is Wireshark. Why is wireshark able to capture with such accuracy even if it uses winpcap. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>Is it possible to achieve accuracy if i used packet.h functions to receive and then pcap to send the packets. Anton have you tried that?<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>BR<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><br><br>> From: <a href="mailto:winpcap-users-request@winpcap.org">winpcap-users-request@winpcap.org</a><br>> Subject: Winpcap-users Digest, Vol 72, Issue 8<br>> To: <a href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</a><br>> Date: Wed, 16 Mar 2011 02:08:28 -0700<br>> <br>> Send Winpcap-users mailing list submissions to<br>> <a href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</a><br>> <br>> To subscribe or unsubscribe via the World Wide Web, visit<br>> <a href="https://www.winpcap.org/mailman/listinfo/winpcap-users">https://www.winpcap.org/mailman/listinfo/winpcap-users</a><br>> or, via email, send a message with subject or body 'help' to<br>> <a href="mailto:winpcap-users-request@winpcap.org">winpcap-users-request@winpcap.org</a><br>> <br>> You can reach the person managing the list at<br>> <a href="mailto:winpcap-users-owner@winpcap.org">winpcap-users-owner@winpcap.org</a><br>> <br>> When replying, please edit your Subject line so it is more specific<br>> than "Re: Contents of Winpcap-users digest..."<br>> <br>> <br>> Today's Topics:<br>> <br>> 1. Re: PPP capture (Gianluca Varenni)<br>> 2. Re: Winpcap-users Digest, Vol 72, Issue 7 (Akif Usman)<br>> <br>> <br>> ----------------------------------------------------------------------<br>> <br>> Message: 1<br>> Date: Tue, 15 Mar 2011 13:59:25 -0700<br>> From: Gianluca Varenni <<a href="mailto:Gianluca.Varenni@riverbed.com">Gianluca.Varenni@riverbed.com</a>><br>> To: Anton Tremsin <<a href="mailto:ast@ssl.berkeley.edu">ast@ssl.berkeley.edu</a>>, "<a href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</a>"<br>> <<a href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</a>><br>> Subject: Re: [Winpcap-users] PPP capture<br>> Message-ID:<br>> <<a href="mailto:6A8F2E88CFF83C43A6AFF7FAC775B9FC07151743D9@MAILBOXES2.nbttech.com">6A8F2E88CFF83C43A6AFF7FAC775B9FC07151743D9@MAILBOXES2.nbttech.com</a>><br>> Content-Type: text/plain; charset="us-ascii"<br>> <br>> Anton,<br>> <br>> If I remember well, you are capturing from Ethernet, Akif is capturing from PPP. The code paths for the two types of devices are completely different (Ethernet goes through the WinPcap kernel driver, PPP gets captured through Netmon).<br>> <br>> Have a nice day<br>> GV<br>> <br>> From: Anton Tremsin <a href="mailto:[mailto:ast@ssl.berkeley.edu]">[mailto:ast@ssl.berkeley.edu]</a><br>> Sent: Monday, March 14, 2011 11:43 PM<br>> To: <a href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</a><br>> Cc: Gianluca Varenni<br>> Subject: Re: [Winpcap-users] PPP capture<br>> <br>> Akif, Gianluca,<br>> <br>> As I mentioned in my previous messages, I have exactly the same problem of delayed packages, with mintocopy set even to 0 (tried other values as well). I am always sending a set of 64 packets of 8Kbytes each (that is one image data). The packets are not lost, they always arrive. However, some of them come with no delay (varied number of them, sometimes 62, sometimes 57, etc), while the rest of them come exactly after the delay equal to the setting of the timeout, which I varied between 1 and 10000 milliseconds. There is no timeout reported for the packets to arrive with the delay.<br>> <br>> I will be very glad if that issue can be solved, which has probably the same cause as in Akif's application.<br>> <br>> Thanks a lot,<br>> <br>> Anton<br>> <br>> Akif,<br>> <br>> This is probably due to the mintocopy and timeout of WinPcap. WinPcap does not deliver you the packets immediately after they are received by the driver. Packets are batched in kernel mode and delivered to the receiving application when<br>> <br>> <br>> There are at least mintocopy bytes in the kernel buffer<br>> <br>> After a certain timeout<br>> (whatever happens first).<br>> <br>> In order to reduce the delay, you will need to either reduce the timeout or the mintocopy.<br>> <br>> Have a nice day<br>> GV<br>> <br>> From: <a href="mailto:winpcap-users-bounces@winpcap.org%3cmailto:winpcap-users-bounces@winpcap.org">winpcap-users-bounces@winpcap.org<mailto:winpcap-users-bounces@winpcap.org</a>> <a href="mailto:[mailto:winpcap-users-bounces@winpcap.org]">[mailto:winpcap-users-bounces@winpcap.org]</a> On Behalf Of Akif Usman<br>> Sent: Thursday, March 10, 2011 11:20 AM<br>> To: <a href="mailto:winpcap-users@winpcap.org%3cmailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org<mailto:winpcap-users@winpcap.org</a>><br>> Subject: [Winpcap-users] PPP capture<br>> <br>> HI,<br>> <br>> I have installed the winpcap version 3.1 beta and i am capturing from a PPP interface and it captures perfectly. Now i am trying to capture from the same PPP interface using my LIBPCAP program and forward it to another Ethernet interface that connects further to a second computer (Ethernet NIC) which also has wireshark running on it. When i capture from the second computer i get a strange offset of 0.5 seconds after every x packets. This is very strange. I dont know why wireshark is able to capture from PPP interface on the first computer with proper accuracy and why my LIBPCAP program, which is just forwarding the packets, is introducing a 0.5s [:-O] delay. Please help me out as soon as somebody can.<br>> <br>> Best Regards<br>> Fika<br>> <br>> <br>> <br>> <br>> <br>> _______________________________________________<br>> <br>> Winpcap-users mailing list<br>> <br>> <a href="mailto:Winpcap-users@winpcap.org%3cmailto:Winpcap-users@winpcap.org">Winpcap-users@winpcap.org<mailto:Winpcap-users@winpcap.org</a>><br>> <br>> <a href="https://www.winpcap.org/mailman/listinfo/winpcap-users">https://www.winpcap.org/mailman/listinfo/winpcap-users</a><br>> <br>> <br>> <br>> -------------- next part --------------<br>> An HTML attachment was scrubbed...<br>> URL: <<a href="http://www.winpcap.org/pipermail/winpcap-users/attachments/20110315/7cb51127/attachment-0001.html">http://www.winpcap.org/pipermail/winpcap-users/attachments/20110315/7cb51127/attachment-0001.html</a>><br>> <br>> ------------------------------<br>> <br>> Message: 2<br>> Date: Wed, 16 Mar 2011 10:08:25 +0100<br>> From: Akif Usman <<a href="mailto:akif.usman@hotmail.com">akif.usman@hotmail.com</a>><br>> To: <<a href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</a>><br>> Subject: Re: [Winpcap-users] Winpcap-users Digest, Vol 72, Issue 7<br>> Message-ID: <<a href="mailto:SNT143-w3812119493BFBBEDF1C2EC80CE0@phx.gbl">SNT143-w3812119493BFBBEDF1C2EC80CE0@phx.gbl</a>><br>> Content-Type: text/plain; charset="iso-8859-1"<br>> <br>> <br>> HI,<br>> There are some questiosn i need to ask. Why does wireshark give no delay upon capture even though it uses Winpcap? <br>> I am using windows xp for capture and i have checked the capture on ethernet and there seems to be no problems at all from the capture on ethernet. I have tried changing mintocopy and the timeout but it gives me no changes in the performance? Any ideas why?<br>> <br>> BR<br>> <br>> > From: <a href="mailto:winpcap-users-request@winpcap.org">winpcap-users-request@winpcap.org</a><br>> > Subject: Winpcap-users Digest, Vol 72, Issue 7<br>> > To: <a href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</a><br>> > Date: Tue, 15 Mar 2011 12:00:02 -0700<br>> > <br>> > Send Winpcap-users mailing list submissions to<br>> > <a href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</a><br>> > <br>> > To subscribe or unsubscribe via the World Wide Web, visit<br>> > <a href="https://www.winpcap.org/mailman/listinfo/winpcap-users">https://www.winpcap.org/mailman/listinfo/winpcap-users</a><br>> > or, via email, send a message with subject or body 'help' to<br>> > <a href="mailto:winpcap-users-request@winpcap.org">winpcap-users-request@winpcap.org</a><br>> > <br>> > You can reach the person managing the list at<br>> > <a href="mailto:winpcap-users-owner@winpcap.org">winpcap-users-owner@winpcap.org</a><br>> > <br>> > When replying, please edit your Subject line so it is more specific<br>> > than "Re: Contents of Winpcap-users digest..."<br>> > <br>> > <br>> > Today's Topics:<br>> > <br>> > 1. Re: PPP capture (Gianluca Varenni)<br>> > 2. Re: PPP capture (Anton Tremsin)<br>> > <br>> > <br>> > ----------------------------------------------------------------------<br>> > <br>> > Message: 1<br>> > Date: Mon, 14 Mar 2011 18:44:54 -0700<br>> > From: Gianluca Varenni <<a href="mailto:Gianluca.Varenni@riverbed.com">Gianluca.Varenni@riverbed.com</a>><br>> > To: "<a href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</a>" <<a href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</a>><br>> > Subject: Re: [Winpcap-users] PPP capture<br>> > Message-ID:<br>> > <<a href="mailto:6A8F2E88CFF83C43A6AFF7FAC775B9FC07151739AA@MAILBOXES2.nbttech.com">6A8F2E88CFF83C43A6AFF7FAC775B9FC07151739AA@MAILBOXES2.nbttech.com</a>><br>> > Content-Type: text/plain; charset="us-ascii"<br>> > <br>> > Akif,<br>> > <br>> > This is probably due to the mintocopy and timeout of WinPcap. WinPcap does not deliver you the packets immediately after they are received by the driver. Packets are batched in kernel mode and delivered to the receiving application when<br>> > <br>> > <br>> > - There are at least mintocopy bytes in the kernel buffer<br>> > <br>> > - After a certain timeout<br>> > (whatever happens first).<br>> > <br>> > In order to reduce the delay, you will need to either reduce the timeout or the mintocopy.<br>> > <br>> > Have a nice day<br>> > GV<br>> > <br>> > From: <a href="mailto:winpcap-users-bounces@winpcap.org">winpcap-users-bounces@winpcap.org</a> <a href="mailto:[mailto:winpcap-users-bounces@winpcap.org]">[mailto:winpcap-users-bounces@winpcap.org]</a> On Behalf Of Akif Usman<br>> > Sent: Thursday, March 10, 2011 11:20 AM<br>> > To: <a href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</a><br>> > Subject: [Winpcap-users] PPP capture<br>> > <br>> > HI,<br>> > <br>> > I have installed the winpcap version 3.1 beta and i am capturing from a PPP interface and it captures perfectly. Now i am trying to capture from the same PPP interface using my LIBPCAP program and forward it to another Ethernet interface that connects further to a second computer (Ethernet NIC) which also has wireshark running on it. When i capture from the second computer i get a strange offset of 0.5 seconds after every x packets. This is very strange. I dont know why wireshark is able to capture from PPP interface on the first computer with proper accuracy and why my LIBPCAP program, which is just forwarding the packets, is introducing a 0.5s [:-O] delay. Please help me out as soon as somebody can.<br>> > <br>> > Best Regards<br>> > Fika<br>> > -------------- next part --------------<br>> > An HTML attachment was scrubbed...<br>> > URL: <<a href="http://www.winpcap.org/pipermail/winpcap-users/attachments/20110314/fcd4e478/attachment-0001.html">http://www.winpcap.org/pipermail/winpcap-users/attachments/20110314/fcd4e478/attachment-0001.html</a>><br>> > <br>> > ------------------------------<br>> > <br>> > Message: 2<br>> > Date: Mon, 14 Mar 2011 23:42:30 -0700<br>> > From: Anton Tremsin <<a href="mailto:ast@ssl.berkeley.edu">ast@ssl.berkeley.edu</a>><br>> > To: <a href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</a><br>> > Cc: Gianluca Varenni <<a href="mailto:Gianluca.Varenni@riverbed.com">Gianluca.Varenni@riverbed.com</a>><br>> > Subject: Re: [Winpcap-users] PPP capture<br>> > Message-ID: <<a href="mailto:4D7F0A56.1070207@ssl.berkeley.edu">4D7F0A56.1070207@ssl.berkeley.edu</a>><br>> > Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"<br>> > <br>> > Akif, Gianluca,<br>> > <br>> > As I mentioned in my previous messages, I have exactly the same problem <br>> > of delayed packages, with mintocopy set even to 0 (tried other values as <br>> > well). I am always sending a set of 64 packets of 8Kbytes each (that is <br>> > one image data). The packets are not lost, they always arrive. However, <br>> > some of them come with no delay (varied number of them, sometimes 62, <br>> > sometimes 57, etc), while the rest of them come exactly after the delay <br>> > equal to the setting of the timeout, which I varied between 1 and 10000 <br>> > milliseconds. There is no timeout reported for the packets to arrive <br>> > with the delay.<br>> > <br>> > I will be very glad if that issue can be solved, which has probably the <br>> > same cause as in Akif's application.<br>> > <br>> > Thanks a lot,<br>> > <br>> > Anton<br>> > ><br>> > > Akif,<br>> > ><br>> > > This is probably due to the mintocopy and timeout of WinPcap. WinPcap <br>> > > does not deliver you the packets immediately after they are received <br>> > > by the driver. Packets are batched in kernel mode and delivered to the <br>> > > receiving application when<br>> > ><br>> > > - There are at least mintocopy bytes in the kernel buffer<br>> > ><br>> > > - After a certain timeout<br>> > ><br>> > > (whatever happens first).<br>> > ><br>> > > In order to reduce the delay, you will need to either reduce the <br>> > > timeout or the mintocopy.<br>> > ><br>> > > Have a nice day<br>> > ><br>> > > GV<br>> > ><br>> > > *From:* <a href="mailto:winpcap-users-bounces@winpcap.org">winpcap-users-bounces@winpcap.org</a> <br>> > > <a href="mailto:[mailto:winpcap-users-bounces@winpcap.org]">[mailto:winpcap-users-bounces@winpcap.org]</a> *On Behalf Of *Akif Usman<br>> > > *Sent:* Thursday, March 10, 2011 11:20 AM<br>> > > *To:* <a href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</a><br>> > > *Subject:* [Winpcap-users] PPP capture<br>> > ><br>> > > HI,<br>> > ><br>> > > I have installed the winpcap version 3.1 beta and i am capturing from <br>> > > a PPP interface and it captures perfectly. Now i am trying to capture <br>> > > from the same PPP interface using my LIBPCAP program and forward it to <br>> > > another Ethernet interface that connects further to a second computer <br>> > > (Ethernet NIC) which also has wireshark running on it. When i capture <br>> > > from the second computer i get a strange offset of 0.5 seconds after <br>> > > every x packets. This is very strange. I dont know why wireshark is <br>> > > able to capture from PPP interface on the first computer with proper <br>> > > accuracy and why my LIBPCAP program, which is just forwarding the <br>> > > packets, is introducing a 0.5s [:-O] delay. Please help me out as soon <br>> > > as somebody can.<br>> > ><br>> > > Best Regards<br>> > ><br>> > > Fika<br>> > ><br>> > ><br>> > > _______________________________________________<br>> > > Winpcap-users mailing list<br>> > > <a href="mailto:Winpcap-users@winpcap.org">Winpcap-users@winpcap.org</a><br>> > > <a href="https://www.winpcap.org/mailman/listinfo/winpcap-users">https://www.winpcap.org/mailman/listinfo/winpcap-users</a><br>> > > <br>> > <br>> > -------------- next part --------------<br>> > An HTML attachment was scrubbed...<br>> > URL: <<a href="http://www.winpcap.org/pipermail/winpcap-users/attachments/20110314/fde1d594/attachment-0001.html">http://www.winpcap.org/pipermail/winpcap-users/attachments/20110314/fde1d594/attachment-0001.html</a>><br>> > <br>> > ------------------------------<br>> > <br>> > _______________________________________________<br>> > Winpcap-users mailing list<br>> > <a href="mailto:Winpcap-users@winpcap.org">Winpcap-users@winpcap.org</a><br>> > <a href="https://www.winpcap.org/mailman/listinfo/winpcap-users">https://www.winpcap.org/mailman/listinfo/winpcap-users</a><br>> > <br>> > <br>> > End of Winpcap-users Digest, Vol 72, Issue 7<br>> > ********************************************<br>> <br>> -------------- next part --------------<br>> An HTML attachment was scrubbed...<br>> URL: <<a href="http://www.winpcap.org/pipermail/winpcap-users/attachments/20110316/cd1b5258/attachment.html">http://www.winpcap.org/pipermail/winpcap-users/attachments/20110316/cd1b5258/attachment.html</a>><br>> <br>> ------------------------------<br>> <br>> _______________________________________________<br>> Winpcap-users mailing list<br>> <a href="mailto:Winpcap-users@winpcap.org">Winpcap-users@winpcap.org</a><br>> <a href="https://www.winpcap.org/mailman/listinfo/winpcap-users">https://www.winpcap.org/mailman/listinfo/winpcap-users</a><br>> <br>> <br>> End of Winpcap-users Digest, Vol 72, Issue 8<br>> ********************************************<o:p></o:p></span></p></div></div></body></html>