[Winpcap-users] Strange timestamp distribution while sniffing
PPP-connections (RAS via netmonitor)
Marc Wetzel
mwse at gmx.de
Tue Aug 14 09:52:58 GMT 2007
Hi pcap-users,
this mail is more a request for comments than a request for a solution -
so, please don't hesitate to answer if you have the slightest idea of
what might go on here...
We try to capture packets via the "WAN-PPP/Slip interface" using
wireshark (latest version, latest winpcap),
this works quite good, but we see one problem:
If some special application (a dashboard app, provided from the mobile
network operator) is running on the system,
the timestamps are uniformly distributed, if this app is not running the
timestamps are distributed with a minimum gap of 10ms.
The PPP-connection is started before- so, the following describes the
process in detail:
- Start wireshark, start sniffing
- Start Ras connection
- Start a ping, or a ftp-download, or http-download
- wireshark shows granulary timestamps
- Start the dashboard app,
- Start a ping, or a ftp-download, or http-download
- wireshark shows the expected non-granulary timestamps
- Close the dashboard app,
- Start a ping, or a ftp-download, or http-download
- wireshark shows granulary timestamps, again
The system is more or less idle (< 5% cpu-load (with or without the
dashboard-app))
We have no clue what is happening here, and we need to know what could
be the cause of this.
We thought of
- windows task scheduling (but this should show a 15ms gap??)
- tcp-stack intervention of some kind?
- we checked several Windows XP builds (with or without service packs,
standard netmonitor or latest update)
What could interfere in such a way that the timestamps are touched?
How does the netmonitor-api gets the timestamps? (pcap on ethernet
timestamps are configurable via the registry IIRC)
I already inspected the winpcap source parts... and I see that the
timestamps are just pass-thru - only some conversion in
unix-timestamps is done.
BTW: Sniffing on any ethernet works perfectly (regarding the timestamp
distribution)
Thank you in advance for all the ideas you might have,
Regards
Marc
More information about the Winpcap-users
mailing list