[Winpcap-users] time drift / Windows

Stuart Kendrick skendric at fhcrc.org
Wed Apr 18 14:10:18 PDT 2012 

Hi Helmut,

Got it.  Sounds like this is difficult at the winpcap level.  Thanx for
the response.

--sk

On 4/15/2012 9:57 PM, Helmut Vaupotitsch wrote:
> Hi Stuart,
> I faced the same problems and i don´t think that anyone is more or
> less accurate after some days.
> Since 2 years, i stamp each captured packet by myself (My app runs NPF
> for weeks)
>
> best Regards
> Helmut
>
> Stuart Kendrick schrieb:
>> So, I have a rough grasp of the trade-offs involved in WinPCap's concept
>> of time, mostly from googling for "winpcap, time drift, gianluca
>> verenni" and reading the result ... this is an issue which has appeared
>> on various lists across the last decade or so ... and at root involves
>> some stickiness in the options which Windows offers for tracking time
>>
>> http://seclists.org/wireshark/2012/Apr/85
>> http://seclists.org/wireshark/2010/Aug/311
>>
>> As far as I can tell, twinking with the Registry as below doesn't help
>> -- time still drifts (~30 seconds after two days, in the one test I've
>> run), even with TimestampMode set to '2'
>>
>> Does anyone believe differently?  i.e. is anyone successfully running
>> NPF across multiple days with Winpcap time synced to system time within
>> a second or so?
>>
>> HKLM\System\CurrentControlSet\Services\NPF\TimestampMode
>>
>> Possible values are
>> 0 (default) -> Timestamps generated through
>> KeQueryPerformanceCounter, less reliable on SMP/HyperThreading
>> machines, precision = some microseconds
>> 2 -> Timestamps generated through KeQuerySystemTime, more reliable on
>> SMP/HyperThreading machines, precision = scheduling quantum (10/15 ms)
>> 3 -> Timestamps generated through the i386 instruction RDTSC, less
>> reliable on SMP/HyperThreading/SpeedStep machines, precision = some
>> microseconds
>>
>>
>> Winpcap 4.1.2
>> Win7 Enterprise 64 bit
>> Wireshark 1.7.1
>>
>> --sk
>>
>> Stuart Kendrick
>> FHCRC
>> _______________________________________________
>> Winpcap-users mailing list
>> Winpcap-users at winpcap.org
>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>>
>>   
>

More information about the Winpcap-users mailing list