[Winpcap-users] Timestamp reliability
Gianluca Varenni
gianluca.varenni at cacetech.com
Fri Dec 7 22:05:07 GMT 2007
Timestamps are generated by winpcap when the OS notifies the winpcap driver of the arrival of new packets. This can happen later than the packet was actually received by the hardware. This is caused by a feature that all the network cards implement, usually called interrupt coalescing or interrupt mitigation. In practice the hardware (i.e. the NIC card) doesn't notify the OS (with an interrupt) for every single received packet. Packets are batched and the NIC generates a receive interrupt for the OS (in particular the miniport driver controlling the NIC) only after a certain number of packets have been received within a certain timeout (in the order of some microseconds). The effect of this mitigation is that packets are notified in batches to WinPcap (or to any protocol driver like the TCP/IP one). This mitigation is done in order not to generate too many interrupts that can badly affect the performance of a system.
There is no solution to the problem with WinPcap, as normal network cards and the OS itself have not been designed with packet capture in mind, but rather with the objective of guaranteeing the best possible performance. The usual solution is using capture cards that timestamp packets in hardware.
I hope this explains the phenomenon you are seeing
Have a nice day
GV
--
Gianluca Varenni, Windows DDK MVP
CACE Technologies
http://www.cacetech.com
----- Original Message -----
From: Claudio Raiti
To: Winpcap Users
Sent: Friday, December 07, 2007 11:33 AM
Subject: [Winpcap-users] Timestamp reliability
Hi,
i would like to know how reliable NPF timestamps are. When i capture the traffic i created with an application using PACKET.DLL between two notebooks, i note that they are very strange. I've tried to capture with Wireshark too, but the results are the same. If i measure interspace time between two consecutive frames, i see very often that the timestamps indicate a too short interval. For example, wireshark gives me these two lines:
No. Time Source Destination Protocol Info
...
9 0.000911 xxxx ...
10 0.000912 xxx ...
...
How possible that a frame is arrived after one usec? The traffic i create is done with a nominal interframe time of 0.01 ms (that should be over the effective router capacity).
I'm using a 802.11N router with PCMCIA wireless card with atheros chipset AR5008 and Windows XP/Vista on the two notebooks.
Who can help me?
------------------------------------------------------------------------------
_______________________________________________
Winpcap-users mailing list
Winpcap-users at winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20071207/0fb29bdb/attachment.htm
More information about the Winpcap-users
mailing list