[Winpcap-users] Re: Winpcap-users Digest, Vol 37, Issue 20

Golnaz Honarpisheh golak_h at yahoo.com
Tue Apr 22 02:03:05 GMT 2008


Dear Gianluca,
Thanks for your answer, yes I could figure out my problem adn get the results that i have expected. 
----- Original Message ----
From: "winpcap-users-request at winpcap.org" <winpcap-users-request at winpcap.org>
To: winpcap-users at winpcap.org
Sent: Monday, April 21, 2008 6:22:05 PM
Subject: Winpcap-users Digest, Vol 37, Issue 20

Send Winpcap-users mailing list submissions to
    winpcap-users at winpcap.org

To subscribe or unsubscribe via the World Wide Web, visit
    https://www.winpcap.org/mailman/listinfo/winpcap-users
or, via email, send a message with subject or body 'help' to
    winpcap-users-request at winpcap.org

You can reach the person managing the list at
    winpcap-users-owner at winpcap.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Winpcap-users digest..."


Today's Topics:

  1. Timestamp accuracy question (Alex Foygel (TT))
  2. Re: Code for unhandled exceptation error (Gianluca Varenni)
  3. Re: RARP Storm upon starting winpcap (Gianluca Varenni)
  4. Re: target not receiving the packets (Gianluca Varenni)


----------------------------------------------------------------------

Message: 1
Date: Mon, 21 Apr 2008 10:02:25 -0500
From: "Alex Foygel \(TT\)" <Alex.Foygel at tradingtechnologies.com>
Subject: [Winpcap-users] Timestamp accuracy question
To: <winpcap-users at winpcap.org>
Message-ID: <8F544985CD5FE24897B348C988320602064B2DF3 at chiex01>
Content-Type: text/plain; charset="us-ascii"

What is the absolute accuracy of the individual packets' timestamps? As
far as I understand, the relative accuracy (one packet relative to
another packet captured within the same capture session) is 1
microsecond (aside from the issues with SMP, etc.).



But the absolute accuracy, if I understand the code correctly, seems to
be in the order of milliseconds. The code (time_calls.h) uses
KeQuerySystemTime() to get the system time and to calculate the offset
between the system time and the high-resolution values returned by
KeQueryPerformanceCounter().



According to the documentation, even though KeQuerySystemTime() returns
the timestamps in 100 nanoseconds units, it's being updated once every
10 milliseconds. Thus, depending on when during the 10 ms cycle the
Synchronize code ran, the offset calculated by the above mentioned code
can be up to 10 ms off.



Is my interpretation of the code correct?



A simple way of fixing this problem (if it's a problem at all) seems to
be to run KeQuerySystemTime() in a tight loop until the value returned
changes (this should take at most 10 ms because that's how often the
system time is updated) and then use the new value to calculate the
offset. Am I oversimplifying the problem?



The reason I'm asking the question is because I'm trying to understand
whether I can compare the timestamps imbedded by my application in my
messages  with the timestamps captured by winpcap, to check the time it
takes for my packets to get from the application code (through all the
layers, including the network stack) to the NDIS layer when it gets
captured by winpcap.



Thank you for your help,

Alex Foygel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20080421/8d8554cd/attachment-0001.htm

------------------------------

Message: 2
Date: Mon, 21 Apr 2008 17:20:56 -0700
From: "Gianluca Varenni" <gianluca.varenni at cacetech.com>
Subject: Re: [Winpcap-users] Code for unhandled exceptation error
To: <winpcap-users at winpcap.org>
Message-ID: <0f0401c8a40e$bf35ca50$092c16ac at NELSON2>
Content-Type: text/plain; charset="iso-8859-1"

Golnaz,

did you find the source of the problem?

Have a nice day
GV

  ----- Original Message ----- 
  From: Golnaz Honarpisheh 
  To: winpcap-users at winpcap.org 
  Sent: Friday, April 18, 2008 12:37 PM
  Subject: [Winpcap-users] Code for unhandled exceptation error


  Here is my code,However i think problem is not from code because even when i make it short to open only the file i will get same error.Another thing is that evrytime i open my file in a project i have to go to project menu and settings to set manually the wincap.lib ,in this way there is no error in buil process but in run time i will get myfilename.exe error and in reports shows that message;unhandled exceptation

  #include "pcap.h"
  #include <stdio.h>
  #include <stdlib.h>
  #include <iostream>
  using namespace std;
  #define LINE_LEN 16
  void find_device(pcap_if_t **all_devices);
  main(int argc, char **argv) {
          int res,i=0;
    struct pcap{};
          char errbuf[PCAP_ERRBUF_SIZE];    /* Error string */
          
    struct pcap_pkthdr *header; /* The header that pcap gives us */
    struct pcap_pkthdr *pcap_header;
    const u_char *packet;  /* The actual packet */
    pcap_t *handle;  /* Session handle */
          char error[PCAP_ERRBUF_SIZE];
          FILE *capfile;
          char *capture_file;
    char *pkt_data;
          int caplen;
          
          pcap_t *pcap_open_offline(char *scapturefile,char *errbuf);
            
      /* Grab a packet
          int code  = pcap_next_ex(handle,&header,&packet);
          if (code < 0)
                  cout << "Error in pcap_next_ex\n";
          /* Print its length
          cout << "length of packet is" << header->len << " bytes\n"; 
          printf("%ld: \n", header->len);

          /* And close the session 
          pcap_close(handle);
          return(0); */
    /* Retrieve the packets from the file */
      while((res = pcap_next_ex( handle, &header, &packet)) >= 0){
          /* print pkt timestamp and pkt len */
          printf("%ld:%ld (%ld)\n", header->ts.tv_sec, header->ts.tv_usec, header->len);          
          
          /* Print the packet */
          for (i=1; (i < header->caplen + 1 ) ; i++)
          {
              printf("%.2x ", pkt_data[i-1]);
              if ( (i % LINE_LEN) == 0) printf("\n");
          }        
          printf("\n\n");    
      }    
      if(res == -1){
          printf("Error reading the packets: %s\n", pcap_geterr(handle));
      }
      
      return 0;
  }
        



------------------------------------------------------------------------------
  Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.


------------------------------------------------------------------------------


  _______________________________________________
  Winpcap-users mailing list
  Winpcap-users at winpcap.org
  https://www.winpcap.org/mailman/listinfo/winpcap-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20080422/b079a481/attachment-0001.htm

------------------------------

Message: 3
Date: Mon, 21 Apr 2008 17:24:09 -0700
From: "Gianluca Varenni" <gianluca.varenni at cacetech.com>
Subject: Re: [Winpcap-users] RARP Storm upon starting winpcap
To: <winpcap-users at winpcap.org>
Message-ID: <0f2201c8a40f$31db00c0$092c16ac at NELSON2>
Content-Type: text/plain; charset="iso-8859-1"

Absolutely no idea. And the fact that it happens on linux with libpcap is pretty weird. Both the windows machine and the linux one are Vmware guests, i suppose. Right? If so, are you using the original linux/windows drivers for the virtual nic on the guest, or the one provided by vmware?

Have a nice day
GV

  ----- Original Message ----- 
  From: Michael Domberg 
  To: winpcap-users at winpcap.org 
  Sent: Wednesday, April 16, 2008 11:44 PM
  Subject: [Winpcap-users] RARP Storm upon starting winpcap


  Hi,
  I am using Microsoft Windows Server 2003 with winpcap 4.0.2 on VMWare ESX 3. Everytime I start a capture (with Windump or Wireshark 1.0.0) winpcap sends a couple of RARP requests. It seems like my host is trying to resolve its own MAC-address. The amount of requests changes from time to time. Sometimes only 3 requests are generated, sometimes up to 500. Even if I stop capturing some RARP packets are sent over the network. The capturing host can't see its own RARP requests, all other host in the same subnet receive all packets. If two or more hosts within the local network use winpcap these requests block all other traffic. This even occurs with libpcap on linux if the linux host is in the same network.
  All searches in the mailing list, google groups and google were to no avail.

  Any suggestions?

  Michael.



------------------------------------------------------------------------------
  Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.


------------------------------------------------------------------------------


  _______________________________________________
  Winpcap-users mailing list
  Winpcap-users at winpcap.org
  https://www.winpcap.org/mailman/listinfo/winpcap-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20080422/8ed8eed1/attachment-0001.htm

------------------------------

Message: 4
Date: Mon, 21 Apr 2008 17:36:36 -0700
From: "Gianluca Varenni" <gianluca.varenni at cacetech.com>
Subject: Re: [Winpcap-users] target not receiving the packets
To: <winpcap-users at winpcap.org>
Message-ID: <0f5501c8a410$ef6b5580$092c16ac at NELSON2>
Content-Type: text/plain; charset="iso-8859-1"

Have you tried connecting the source and the receiver with a cross ethernet cable and see if the receiver receives the packet you sent? Also, what is the packet size you are trying to send?

Have a nice day
GV
  ----- Original Message ----- 
  From: chitra .R 
  To: winpcap-users at winpcap.org 
  Sent: Friday, April 18, 2008 9:25 AM
  Subject: RE: [Winpcap-users] target not receiving the packets



  Hi all,

    Thanks for your reply, I am framing the frame as

  [dstmac addr + src mac addr + type + data], i tried the type as 0x0800, still I am not able to capture the packet at the target. I verified for both source and destination are on the same network.

  Thanks,
  Chitra



  Fish <fish at infidels.org> wrote:

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Fish wrote:
    > Ethernet is 0x0800, not 0x0000.

    (ACK!) The FRAME TYPE for IP is 0x0800, not 0x0000. Sorry.

    This is presuming you're dealing with IP packets of course.

    ARP would be 0x0806, RARP 0x8035 etc.

    - -- 
    "Fish" (David B. Trout) - fish(at)infidels.org
    Fight Spam! Join CAUCE! 
    (Any HTML email received will be deleted unread)
    PGP key fingerprints:
    RSA: 6B37 7110 7201 9917 9B0D 99E3 55DB 5D58 FADE 4A52
    DH/DSS: 9F9B BAB0 BA7F C458 1A89 FE26 48F5 D7F4 C4EE 3E2A

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.1

    iQA/AwUBSAg6lUj11/TE7j4qEQLf0gCZAWZEOBcg16TH+dIDgSVuaDE/OYgAoIBn
    8E37j/ops7XrieNbnd4YfoAt
    =N0dk
    -----END PGP SIGNATURE-----

    _______________________________________________
    Winpcap-users mailing list
    Winpcap-users at winpcap.org
    https://www.winpcap.org/mailman/listinfo/winpcap-users





------------------------------------------------------------------------------
  Connect with friends all over the world. Get Yahoo! India Messenger.


------------------------------------------------------------------------------


  _______________________________________________
  Winpcap-users mailing list
  Winpcap-users at winpcap.org
  https://www.winpcap.org/mailman/listinfo/winpcap-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20080422/f3c09401/attachment.htm

------------------------------

_______________________________________________
Winpcap-users mailing list
Winpcap-users at winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users


End of Winpcap-users Digest, Vol 37, Issue 20
*********************************************


      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20080422/baaf1a08/attachment-0001.htm


More information about the Winpcap-users mailing list