[Winpcap-users] Re: Where does pcap capturing time come from?

Fri Sep 1 09:21:29 GMT 2006

Alright, I got it.
Thanks a lot!

-- Isara

On 8/30/06, Loris Degioanni <loris.degioanni at cacetech.com> wrote:
> Look at the NPF_tap function, and time_calls.h file in the WinPcap
> driver sources.
>
> Loris
>
>
> Isara Anantavrasilp wrote:
> > I would like to know one more thing,
> > after Pcap got the tick counts from KeQueryPerformanceCounter, how
> > does it convert to "current time"?
> >
> > I need to implement exactly like it to make my comparison make sense.
> >
> > -- Isara
> >
> > On 8/29/06, Isara Anantavrasilp <isara.a at gmail.com> wrote:
> >> Thanks a lot!
> >> This is exactly what I want to know: the clock.
> >> It is pointless measuring the time from two different sources.
> >> Now, I know which clock I should look at.
> >>
> >> Thanks again!
> >> Isara
> >>
> >> On 8/29/06, Loris Degioanni <loris.degioanni at cacetech.com> wrote:
> >> > Use QueryPerformanceCounter() from your application.
> >> > On most (if not all) modern Windows kernels, QueryPerformanceCounter
> >> > (and its kernel counterpart KeQueryPerformanceCounter)are essentially a
> >> > call to the rdtsc x86 function, which returns the internal CPU clock
> >> > counter.
> >> >
> >> > QueryPerformanceCounter is safe (and very precise) to use on single
> >> > processor machines (even hyperthreaded or multicore), where you're
> >> > accessing the same counter that the WinPcap driver uses to timestamp
> >> the
> >> > packets.
> >> > On SMP systems, the situation is a bit more complicated: you might be
> >> > reading the timestamp of a different CPU that the driver used, and the
> >> > clocks of the two CPUs might be drifting. Again, modern kernel
> >> > implementations try to take care of the drifts and should guarantee a
> >> > reasonable precision, but you'll have to try and see what you get.
> >> >
> >> > Loris
> >> >
> >> >
> >> >
> >> > Isara Anantavrasilp wrote:
> >> > > According to this:
> >> > >
> >> http://www.mail-archive.com/winpcap-users@winpcap.polito.it/msg02514.html
> >> > >
> >> > > I learned that pcap called KeQueryPerformanceCounter() to get clock
> >> > > ticks since the system starts.
> >> > > To me, that ticks is more useful than timeval.
> >> > > How can I access the raw cpu time?
> >> > >
> >> > > -- Isara
> >> > >
> >> > > On 8/28/06, Isara Anantavrasilp <isara.a at gmail.com> wrote:
> >> > >> Hi,
> >> > >>
> >> > >> There are two questions regarding the topic.
> >> > >> 1) Winpcap gets you the capturing time in pcap_pkthdr. I would
> >> like to
> >> > >> know what is the timestamp exactly?
> >> > >> Is it the time when the packet pass through the network interface?
> >> > >> And if so, it is in which network layer?
> >> > >> As pcap can capture ethernet header, I believe this time is the time
> >> > >> where outgoing packet is about to enter physical layer and incoming
> >> > >> packets is about to enter from the physical layer.
> >> > >>
> >> > >>
> >> > >> 2) I ran across this gettimeofday code:
> >> > >> http://www.usenet.com/newsgroups/comp.ai.neural-nets/msg01068.html
> >> > >> Is it the same algorithm as the way pcap got its timestamp?
> >> > >>
> >> > >> Thanks a lot!
> >> > >> Isara Anantavrasilp
> >> > >>
> >> > > _______________________________________________
> >> > > Winpcap-users mailing list
> >> > > Winpcap-users at winpcap.org
> >> > > https://www.winpcap.org/mailman/listinfo/winpcap-users
> >> > >
> >> > _______________________________________________
> >> > Winpcap-users mailing list
> >> > Winpcap-users at winpcap.org
> >> > https://www.winpcap.org/mailman/listinfo/winpcap-users
> >> >
> >>
> > _______________________________________________
> > Winpcap-users mailing list
> > Winpcap-users at winpcap.org
> > https://www.winpcap.org/mailman/listinfo/winpcap-users
> >
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>