[Winpcap-users] Timestamps "jump back" by ~13 seconds

Gianluca Varenni gianluca.varenni at cacetech.com
Wed Apr 12 05:10:47 GMT 2006 

Michael,

which kind of machine is the one showing the timestamp issue? In particular, I'm interested in knowing if it uses an HyperThreaded processor, a multicore one, multiple processors or any combination of them.

Have a nice day
GV

  ----- Original Message ----- 
  From: Feeny, Michael (TD&DS, Applications Infrastructure Svcs.) 
  To: winpcap-users at winpcap.org 
  Sent: Thursday, April 06, 2006 9:16 AM
  Subject: [Winpcap-users] Timestamps "jump back" by ~13 seconds


  Hi all.



  I used Ethereal (very recent version) to capture packets yesterday.  When I open the resultant Ethereal file, I notice that about every 5 or 10 packets, the timestamp is roughly 13 seconds earlier than that of the previous packet.  



  Looking more closely, I see a clump of packets with timestamps that increase normally, then a clump that are 13 seconds earlier (but whose timestamps also increase normally), then a clump that are 13 seconds later (lining up with the 1st clump), then a 13-seconds-earlier clump, etc., etc., etc.



  I'm probably not explaining this well L.  Here is a sample of the timestamps - this should make it clearer.



  14:26:35.475498

  14:26:35.475604

  14:26:35.475632

  14:26:49.087976            (Jumps ahead ~13.5 seconds)

  14:26:49.132457

  14:26:49.132573

  14:26:49.132604

  14:26:49.134084

  14:26:35.525248            (Jumps back ~13.5 seconds)

  14:26:35.525376

  14:26:35.525567

  14:26:49.283965            (Jumps ahead ~13.5 seconds)

  14:26:49.882512

  14:26:49.882613

  14:26:49.882645

  . this pattern continues forever and ever (or, at least for the 35 minutes of the capture)



  Has anyone seen this?  Any ideas?



  If I understand how Winpcap works (that's a big "IF"), Winpcap grabs the packet, applies a timestamp using the system clock, passes it to Ethereal, who gives it the next frame number and adds it to the packet set, and waits for the next packet.  So, how these timestamps are showing this behavior has got me good and puzzled J.



  I'm waiting for Ethereal & Winpcap version info (I don't have direct access to the collecting system), as well as NIC info, in case it's relevant.  But I thought I'd post this now, in case there's an obvious answer.



  Thx much,

  Michael



  Michael Feeny

  TDDS Application Integration Management

  609-274-2761 (Office)

  484-995-1745 (Mobile)

  1-888-MERRIL0 (Page)

  feenyman99 (AIM)




------------------------------------------------------------------------------

  If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Click here for important additional terms relating to this e-mail.     http://www.ml.com/email_terms/

------------------------------------------------------------------------------



------------------------------------------------------------------------------


  _______________________________________________
  Winpcap-users mailing list
  Winpcap-users at winpcap.org
  https://www.winpcap.org/mailman/listinfo/winpcap-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20060411/5d109da3/attachment-0001.htm

More information about the Winpcap-users mailing list