[Winpcap-users] Strange timestamp distribution while sniffing ,PPP-connections (RAS via netmonitor)

Thu Aug 16 10:36:28 GMT 2007

Hi Gianluca,

but how could another application interfere with the scheduler?
If the application is running the timestamps are looking like some 
"static noise" is added...
(in both directions, positive and negative)

BR
Marc
> Date: Tue, 14 Aug 2007 11:48:08 -0700
> From: "Gianluca Varenni" <gianluca.varenni at cacetech.com>
> Subject: Re: [Winpcap-users] Strange timestamp distribution while
> 	sniffing	PPP-connections (RAS via netmonitor)
> To: <winpcap-users at winpcap.org>
> Message-ID: <27c501c7dea3$a85f6c90$1a4da8c0 at NELSON2>
> Content-Type: text/plain; format=flowed; charset="iso-8859-15";
> 	reply-type=response
>
>
> ----- Original Message ----- 
> From: "Marc Wetzel" <mwse at gmx.de>
> To: <winpcap-users at winpcap.org>
> Sent: Tuesday, August 14, 2007 2:52 AM
> Subject: [Winpcap-users] Strange timestamp distribution while sniffing 
> PPP-connections (RAS via netmonitor)
>
>
>   
>> Hi pcap-users,
>>
>> this mail is more a request for comments than a request for a solution -
>> so, please don't hesitate to answer if you have the slightest idea of what 
>> might go on here...
>>
>> We try to capture packets via the "WAN-PPP/Slip interface" using wireshark 
>> (latest version, latest winpcap),
>> this works quite good, but we see one problem:
>> If some special application (a dashboard app, provided from the mobile 
>> network operator) is running on the system,
>> the timestamps are uniformly distributed, if this app is not running the 
>> timestamps are distributed with a minimum gap of 10ms.
>> The PPP-connection is started before- so, the following describes the 
>> process in detail:
>> - Start wireshark, start sniffing
>> - Start Ras connection
>> - Start a ping, or a ftp-download, or http-download
>> - wireshark shows granulary timestamps
>> - Start the dashboard app,
>> - Start a ping, or a ftp-download, or http-download
>> - wireshark shows the expected non-granulary timestamps
>> - Close the dashboard app,
>> - Start a ping, or a ftp-download, or http-download
>> - wireshark shows granulary timestamps, again
>>
>>
>>
>> The system is more or less idle (< 5% cpu-load (with or without the 
>> dashboard-app))
>>
>> We have no clue what is happening here, and we need to know what could be 
>> the cause of this.
>>
>> We thought of
>> - windows task scheduling (but this should show a 15ms gap??)
>>     
>
> I think the reason is actually this one. Depending on the specific version 
> of Windows *and* kernel flavor, the scheduling time can be 10ms or even 
> 15ms. And even if the scheduling quantum is 10 or 15ms, the precision of 
> such timestamps can be less than that in some specific cases.
>
> I just tried on my machine (pinging the other half of a pptp tunnel) and the 
> granularity is around 1ms (I have an XP machine with UP kernel, FWIW).
> In any case, in the case of VPN/dialup, the timestamps are generated 
> directly by NetMon, so WinPcap does not have any control on the precision 
> and accuracy of them. And the MSDN documentation on the timestamps does 
> specify anything.
>
> Have a nice day
> GV
>
>   
>> - tcp-stack intervention of some kind?
>> - we checked several Windows XP builds (with or without service packs, 
>> standard netmonitor or latest update)
>>
>>     
>
>
>
>   
>> What could interfere in such a way that the timestamps are touched?
>> How does the netmonitor-api gets the timestamps? (pcap on ethernet 
>> timestamps are configurable via the registry IIRC)
>> I already inspected the winpcap source parts... and I see that the 
>> timestamps are just pass-thru - only some conversion in
>> unix-timestamps is done.
>>
>> BTW: Sniffing on any ethernet works perfectly (regarding the timestamp 
>> distribution)
>>
>> Thank you in advance for all the ideas you might have,
>>
>> Regards
>> Marc
>>
>> _______________________________________________
>> Winpcap-users mailing list
>> Winpcap-users at winpcap.org
>> https://www.winpcap.org/mailman/listinfo/winpcap-users 
>>     