[Winpcap-users] Strange timestamp distribution while sniffing ,PPP-connections (RAS via netmonitor)

Marc Wetzel mwse at gmx.de
Tue Aug 21 11:37:27 GMT 2007 

Hi pcap-users,

I found a solution for my problem.
The disturbing app seems to use the WINMM API call timeBeginPeriod(1).

This sets the system wide timer to a 1ms resolution. And this seems to 
disturb the timestamping of netmon.
If my app also uses this resolution (by calling timeBeginPeriod(1) ) I 
also get "nice" fine-grained timestamps.

Gianluca, can you please verify this on your test-system? This 
information should be added to some kind of winpcap-programmers FAQ, so 
no one ever has to search for it again.
It took me just 2 months to figure it out. :)

HTH
/Marc


Marc Wetzel schrieb:
> Hi Gianluca,
>
> but how could another application interfere with the scheduler?
> If the application is running the timestamps are looking like some 
> "static noise" is added...
> (in both directions, positive and negative)
>
> BR
> Marc
>> Date: Tue, 14 Aug 2007 11:48:08 -0700
>> From: "Gianluca Varenni" <gianluca.varenni at cacetech.com>
>> Subject: Re: [Winpcap-users] Strange timestamp distribution while
>>     sniffing    PPP-connections (RAS via netmonitor)
>> To: <winpcap-users at winpcap.org>
>> Message-ID: <27c501c7dea3$a85f6c90$1a4da8c0 at NELSON2>
>> Content-Type: text/plain; format=flowed; charset="iso-8859-15";
>>     reply-type=response
>>
>>
>> ----- Original Message ----- From: "Marc Wetzel" <mwse at gmx.de>
>> To: <winpcap-users at winpcap.org>
>> Sent: Tuesday, August 14, 2007 2:52 AM
>> Subject: [Winpcap-users] Strange timestamp distribution while 
>> sniffing PPP-connections (RAS via netmonitor)
>>
>>
>>  
>>> Hi pcap-users,
>>>
>>> this mail is more a request for comments than a request for a 
>>> solution -
>>> so, please don't hesitate to answer if you have the slightest idea 
>>> of what might go on here...
>>>
>>> We try to capture packets via the "WAN-PPP/Slip interface" using 
>>> wireshark (latest version, latest winpcap),
>>> this works quite good, but we see one problem:
>>> If some special application (a dashboard app, provided from the 
>>> mobile network operator) is running on the system,
>>> the timestamps are uniformly distributed, if this app is not running 
>>> the timestamps are distributed with a minimum gap of 10ms.
>>> The PPP-connection is started before- so, the following describes 
>>> the process in detail:
>>> - Start wireshark, start sniffing
>>> - Start Ras connection
>>> - Start a ping, or a ftp-download, or http-download
>>> - wireshark shows granulary timestamps
>>> - Start the dashboard app,
>>> - Start a ping, or a ftp-download, or http-download
>>> - wireshark shows the expected non-granulary timestamps
>>> - Close the dashboard app,
>>> - Start a ping, or a ftp-download, or http-download
>>> - wireshark shows granulary timestamps, again
>>>
>>>
>>>
>>> The system is more or less idle (< 5% cpu-load (with or without the 
>>> dashboard-app))
>>>
>>> We have no clue what is happening here, and we need to know what 
>>> could be the cause of this.
>>>
>>> We thought of
>>> - windows task scheduling (but this should show a 15ms gap??)
>>>     
>>
>> I think the reason is actually this one. Depending on the specific 
>> version of Windows *and* kernel flavor, the scheduling time can be 
>> 10ms or even 15ms. And even if the scheduling quantum is 10 or 15ms, 
>> the precision of such timestamps can be less than that in some 
>> specific cases.
>>
>> I just tried on my machine (pinging the other half of a pptp tunnel) 
>> and the granularity is around 1ms (I have an XP machine with UP 
>> kernel, FWIW).
>> In any case, in the case of VPN/dialup, the timestamps are generated 
>> directly by NetMon, so WinPcap does not have any control on the 
>> precision and accuracy of them. And the MSDN documentation on the 
>> timestamps does specify anything.
>>
>> Have a nice day
>> GV
>>
>>  
>>> - tcp-stack intervention of some kind?
>>> - we checked several Windows XP builds (with or without service 
>>> packs, standard netmonitor or latest update)
>>>
>>>     
>>
>>
>>
>>  
>>> What could interfere in such a way that the timestamps are touched?
>>> How does the netmonitor-api gets the timestamps? (pcap on ethernet 
>>> timestamps are configurable via the registry IIRC)
>>> I already inspected the winpcap source parts... and I see that the 
>>> timestamps are just pass-thru - only some conversion in
>>> unix-timestamps is done.
>>>
>>> BTW: Sniffing on any ethernet works perfectly (regarding the 
>>> timestamp distribution)
>>>
>>> Thank you in advance for all the ideas you might have,
>>>
>>> Regards
>>> Marc
>>>
>>> _______________________________________________
>>> Winpcap-users mailing list
>>> Winpcap-users at winpcap.org
>>> https://www.winpcap.org/mailman/listinfo/winpcap-users     
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users

More information about the Winpcap-users mailing list