[Winpcap-users] Packet timestamp strangeness

Richard Hansen pcap-ri at scientician.org
Fri Jun 30 05:26:14 GMT 2006

Hi all,

I'm having trouble determining how the packet timestamp is calculated, and I'm wondering if someone would be so kind as to enlighten me.  I spent a good amount of time poring over the source code, but I'm not familiar enough with the internals of WinPcap to understand what's going on (I even saw some assembly code (!) in a function that I suspected might be related to setting the timestamp).

I'm writing a proxy program that will likely be dealing with latency sensitive applications.  I'm concerned that packets will become stale when my system is too loaded to pull them out of the kernel buffer rapidly.  I'm trying to insert some code at the very beginning of my pcap_loop callback function that gets the current time, compares it with the packet timestamp, and drops the packet if the difference is above some user-configurable threshold.

Unfortunately, I'm getting significant inaccuracies when I calculate the time difference.  The reported difference between packet timestamp and current time ranges between negative (!) ~600us and positive ~10ms, with ~7ms being typical.  I know that anything over about 1.5ms can't be right because I implemented a simple ping reply application that dissects ICMP echo requests arriving via WinPcap and generates ICMP echo replies.  Pinging from another box on the LAN shows about 1.5ms round trip time.  Therefore, the actual time difference must be ~1.5ms minus the amount of time it takes to dissect the ICMP packets and construct a reply minus the time spent on the wire.

I'm getting the current system time by using GetSystemTimeAsFileTime and then correcting for Microsoft's use of January 1, 1601 as epoch.  Of course the system time can bounce around due to something like NTP, but I figured it wouldn't change very often.  What I would really like is a function like pcap_getcurrenttime() that returns the current time using whatever method pcap is using to set the timestamp.

Here's a sample callback function that illustrates how I'm calculating the time difference:

void callback(u_char* param, const struct pcap_pkthdr *header, const u_char *pkt_data)
#define EPOCH_OFFSET (__int64)11644473600000000LL
    FILETIME FileTime;
    __int64 packetTime = (__int64)((header->ts.tv_sec
        * (__int64)1000000LL) + header->ts.tv_usec + timeout);
    currentTime = (__int64)(((((ULARGE_INTEGER*)(&FileTime))->QuadPart)
        / 10) - EPOCH_OFFSET);
    fprintf(stderr, "Time difference: %lli\n", currentTime - packetTime);

    /* ICMP echo reply code goes here */

Does anyone have any suggestions on how I can improve timing accuracy?

Thank you!

More information about the Winpcap-users mailing list