[Winpcap-users] Strange timestamp distribution while sniffing
PPP-connections (RAS via netmonitor)
Mark Bednarczyk
voytechs at yahoo.com
Tue Aug 14 10:34:49 GMT 2007
Looks like a bandwidth contention on your PPP link. When you start up the
your "dashboard" app it might be generating traffic and filling up the
system's output queues on the PPP interface.
Just a thought,
Cheers,
mark...
> -----Original Message-----
> From: winpcap-users-bounces at winpcap.org
> [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Marc Wetzel
> Sent: Tuesday, August 14, 2007 5:53 AM
> To: winpcap-users at winpcap.org
> Subject: [Winpcap-users] Strange timestamp distribution while
> sniffing PPP-connections (RAS via netmonitor)
>
> Hi pcap-users,
>
> this mail is more a request for comments than a request for a
> solution - so, please don't hesitate to answer if you have
> the slightest idea of what might go on here...
>
> We try to capture packets via the "WAN-PPP/Slip interface"
> using wireshark (latest version, latest winpcap), this works
> quite good, but we see one problem:
> If some special application (a dashboard app, provided from
> the mobile network operator) is running on the system, the
> timestamps are uniformly distributed, if this app is not
> running the timestamps are distributed with a minimum gap of 10ms.
> The PPP-connection is started before- so, the following
> describes the process in detail:
> - Start wireshark, start sniffing
> - Start Ras connection
> - Start a ping, or a ftp-download, or http-download
> - wireshark shows granulary timestamps
> - Start the dashboard app,
> - Start a ping, or a ftp-download, or http-download
> - wireshark shows the expected non-granulary timestamps
> - Close the dashboard app,
> - Start a ping, or a ftp-download, or http-download
> - wireshark shows granulary timestamps, again
>
>
>
> The system is more or less idle (< 5% cpu-load (with or without the
> dashboard-app))
>
> We have no clue what is happening here, and we need to know
> what could be the cause of this.
>
> We thought of
> - windows task scheduling (but this should show a 15ms gap??)
> - tcp-stack intervention of some kind?
> - we checked several Windows XP builds (with or without
> service packs, standard netmonitor or latest update)
>
>
> What could interfere in such a way that the timestamps are touched?
> How does the netmonitor-api gets the timestamps? (pcap on ethernet
> timestamps are configurable via the registry IIRC)
> I already inspected the winpcap source parts... and I see that the
> timestamps are just pass-thru - only some conversion in
> unix-timestamps is done.
>
> BTW: Sniffing on any ethernet works perfectly (regarding the
> timestamp
> distribution)
>
> Thank you in advance for all the ideas you might have,
>
> Regards
> Marc
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
More information about the Winpcap-users
mailing list