[Winpcap-users] Strange timestamp distribution while sniffing PPP-connections (RAS via netmonitor)

Gianluca Varenni gianluca.varenni at cacetech.com
Tue Aug 14 18:48:08 GMT 2007


----- Original Message ----- 
From: "Marc Wetzel" <mwse at gmx.de>
To: <winpcap-users at winpcap.org>
Sent: Tuesday, August 14, 2007 2:52 AM
Subject: [Winpcap-users] Strange timestamp distribution while sniffing 
PPP-connections (RAS via netmonitor)


> Hi pcap-users,
>
> this mail is more a request for comments than a request for a solution -
> so, please don't hesitate to answer if you have the slightest idea of what 
> might go on here...
>
> We try to capture packets via the "WAN-PPP/Slip interface" using wireshark 
> (latest version, latest winpcap),
> this works quite good, but we see one problem:
> If some special application (a dashboard app, provided from the mobile 
> network operator) is running on the system,
> the timestamps are uniformly distributed, if this app is not running the 
> timestamps are distributed with a minimum gap of 10ms.
> The PPP-connection is started before- so, the following describes the 
> process in detail:
> - Start wireshark, start sniffing
> - Start Ras connection
> - Start a ping, or a ftp-download, or http-download
> - wireshark shows granulary timestamps
> - Start the dashboard app,
> - Start a ping, or a ftp-download, or http-download
> - wireshark shows the expected non-granulary timestamps
> - Close the dashboard app,
> - Start a ping, or a ftp-download, or http-download
> - wireshark shows granulary timestamps, again
>
>
>
> The system is more or less idle (< 5% cpu-load (with or without the 
> dashboard-app))
>
> We have no clue what is happening here, and we need to know what could be 
> the cause of this.
>
> We thought of
> - windows task scheduling (but this should show a 15ms gap??)

I think the reason is actually this one. Depending on the specific version 
of Windows *and* kernel flavor, the scheduling time can be 10ms or even 
15ms. And even if the scheduling quantum is 10 or 15ms, the precision of 
such timestamps can be less than that in some specific cases.

I just tried on my machine (pinging the other half of a pptp tunnel) and the 
granularity is around 1ms (I have an XP machine with UP kernel, FWIW).
In any case, in the case of VPN/dialup, the timestamps are generated 
directly by NetMon, so WinPcap does not have any control on the precision 
and accuracy of them. And the MSDN documentation on the timestamps does 
specify anything.

Have a nice day
GV

> - tcp-stack intervention of some kind?
> - we checked several Windows XP builds (with or without service packs, 
> standard netmonitor or latest update)
>



>
> What could interfere in such a way that the timestamps are touched?
> How does the netmonitor-api gets the timestamps? (pcap on ethernet 
> timestamps are configurable via the registry IIRC)
> I already inspected the winpcap source parts... and I see that the 
> timestamps are just pass-thru - only some conversion in
> unix-timestamps is done.
>
> BTW: Sniffing on any ethernet works perfectly (regarding the timestamp 
> distribution)
>
> Thank you in advance for all the ideas you might have,
>
> Regards
> Marc
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users 



More information about the Winpcap-users mailing list