[Winpcap-users] Timestamping within WinPcap

[Axel Holzinger]

Ciao Gianluc et al,

I learned from
http://www.winpcap.org/pipermail/winpcap-users/2009-April/003140.html
how WinPcap generates its timestamps.

I would like to be able to get rid of the system time in the
timestamps and KeQueryPerformanceCounter (for kernel mode) and
QueryPerformanceCounter (for the user mode side) is just perfect for
what I want to do. So I'm looking for a method to retreive the
performance counter value out of a WinPcap timestamp. To do that I
would need to know the pair of system time and performance counter
value that WinPcap takes (stores) when the capture starts.

>From studying the source I tend to think that the initialization of
this mechanism is done in SynchronizeOnCpu (we're talking about the
case that TimestampMode is configured to zero) which is called by
TIME_SYNCHRONIZE (in the last else case) which is called with
G_Start_Time as the parameter in NPF_Open. But I didn't get completely
behind the secret how that relation (system tine vs. performance
counter value) is done, because already in SynchronizeOnCpu the
current performance counter value is used as a input parameter for
this initial point in time. I also tend to think that the comment "get
the absolute value of the system boot time" is misleading as I don't
see any system call that would read out the system's boot time.

I would be very glad if you could shed a little light on this and tell
me what you think about the idea to be able to read out (by calling
the wpcap.dll from user mode) these initial values to later on be able
to get packet timestamps only depending on the performance counter
with eliminated windows system time (yes, I guess this means adding
functionality to DLL(s) and driver. I would be willing writing a
patch/patches if I do better understand how synchronization works).

Thanks and tanti saluti
Axel