
Wireshark mailing list archives
Re: recorded time in pcap file drifts from system time
From: Stuart Kendrick <skendric () fhcrc org>
Date: Mon, 09 Apr 2012 14:05:37 -0700
OK, so I set HKLM\System\CurrentControlSet\Services\NPF\TimestampMode to '2' and rebooted ...after a couple days of run time, WinPCap's idea of time has drifted ~30s away from system time.
I've searched on "Gianluca Varenni" + timestamp + drift + winpcap and done some reading ... sounds like keeping track of time is difficult ... but Gianluca believes that setting TimestampMode to '2' would help, though perhaps not fix the issue.
Let me turn this around. Is anyone running long duration captures using WinPCap and seeing absolute time in .pcap files stay synced with system time? If this is defeating everyone, then I'll live with it for a while... but if someone is seeing success, then I want to poke more.
[Is this something that the Cace Turbocap cards solve? Or do they instead provide accurate inter-packet timestamps but are also at the mercy of WinPCap for absolute time?]
Intel Core i7CPU 950 Win7 64 bit WinPCap 4.1.2 --sk On 4/7/2012 5:41 AM, Stuart Kendrick wrote:
Thanx for the detail Guy, including helping me distinguish between the role libpcap plays and the role Wireshark plays I've updated registries on my flock of sniffers, will test its effectiveness next week (give libpcap a few days to drift its sense of time) and will report back. --skOr, more generally and accurately, "packet timestamp times, as supplied by WinPcap, may drift from the system time". Those are the time stamps that get written to pcap and pcap-ng files by tcpdump/WinDump, dumpcap, etc.. "The method used by the driver to timestamp packets can now be changed without recompiling the driver, modifying a registry key: HKLM\System\CurrentControlSet\Services\NPF\TimestampMode P___________________________________________________________________________ Sent via: Wireshark-users mailing list<wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- recorded time in pcap file drifts from system time Stuart Kendrick (Apr 06)
- Re: recorded time in pcap file drifts from system time Guy Harris (Apr 06)
- Re: recorded time in pcap file drifts from system time Stuart Kendrick (Apr 07)
- Re: recorded time in pcap file drifts from system time Stuart Kendrick (Apr 09)
- Re: recorded time in pcap file drifts from system time Graham Bloice (Apr 09)
- Re: recorded time in pcap file drifts from system time Jaap Keuter (Apr 09)
- Re: recorded time in pcap file drifts from system time Stuart Kendrick (Apr 07)
- Re: recorded time in pcap file drifts from system time Guy Harris (Apr 06)