<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns:eXclaimer = "http://www.exclaimer.co.uk"><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2802" name=GENERATOR><O:SMARTTAGTYPE name="City"
namespaceuri="urn:schemas-microsoft-com:office:smarttags" /><O:SMARTTAGTYPE
name="place" namespaceuri="urn:schemas-microsoft-com:office:smarttags" /><!--[if !mso]>
<STYLE>st1\:* {
BEHAVIOR: url(#default#ieooui)
}
</STYLE>
<![endif]-->
<STYLE>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Comic Sans MS";
panose-1:3 15 7 2 3 3 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p
{mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</STYLE>
</HEAD>
<BODY lang=EN-US vLink=purple link=blue bgColor=#ffffff>
<DIV><FONT size=2>Michael,</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>which kind of machine is the one showing the timestamp issue?
In particular, I'm interested in knowing if it uses an HyperThreaded processor,
a multicore one, multiple processors or any combination of them.</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>Have a nice day</FONT></DIV>
<DIV><FONT size=2>GV</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=michael_feeny@ml.com href="mailto:michael_feeny@ml.com">Feeny,
Michael (TD&DS, Applications Infrastructure Svcs.)</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=winpcap-users@winpcap.org
href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Thursday, April 06, 2006 9:16
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> [Winpcap-users] Timestamps "jump
back" by ~13 seconds</DIV>
<DIV><BR></DIV>
<DIV>
<DIV class=Section1>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Hi
all…<O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">I used Ethereal (very recent
version) to capture packets yesterday. When I open the resultant
Ethereal file, I notice that about every 5 or 10 packets, the timestamp is
roughly 13 seconds earlier than that of the previous packet.
<O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Looking more closely, I see a
clump of packets with timestamps that increase normally, then a clump that are
13 seconds earlier (but whose timestamps also increase normally), then a clump
that are 13 seconds later (lining up with the 1<SUP>st</SUP> clump), then a
13-seconds-earlier clump, etc., etc., etc.<O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">I’m probably not explaining this
well </SPAN></FONT><FONT face=Wingdings size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Wingdings">L</SPAN></FONT><FONT
face=Arial size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">.
Here is a sample of the timestamps – this should make it
clearer…<O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">14:26:35.475498<O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">14:26:35.475604<O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">14:26:35.475632<O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">14:26:49.087976
(Jumps ahead ~13.5 seconds)<O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">14:26:49.132457<O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">14:26:49.132573<O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">14:26:49.132604<O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">14:26:49.134084<O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">14:26:35.525248
(Jumps back ~13.5 seconds)<O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">14:26:35.525376<O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">14:26:35.525567<O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">14:26:49.283965
(Jumps ahead ~13.5 seconds)<O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">14:26:49.882512<O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">14:26:49.882613<O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">14:26:49.882645<O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">… this pattern continues forever
and ever (or, at least for the 35 minutes of the
capture)<O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Has anyone seen this? Any
ideas?<O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">If I understand how Winpcap works
(that’s a big “IF”), Winpcap grabs the packet, applies a timestamp using the
system clock, passes it to Ethereal, who gives it the next frame number and
adds it to the packet set, and waits for the next packet. So, how these
timestamps are showing this behavior has got me good and puzzled
</SPAN></FONT><FONT face=Wingdings size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Wingdings">J</SPAN></FONT><FONT
face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">.<O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">I’m waiting for Ethereal &
Winpcap version info (I don’t have direct access to the collecting system), as
well as NIC info, in case it’s relevant. But I thought I’d post this
now, in case there’s an obvious answer.<O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Thx
much,<O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Michael<O:P></O:P></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><O:P></O:P></SPAN></FONT></P>
<P style="MARGIN: 0in 0in 0pt"><FONT face="Comic Sans MS" color=maroon
size=3><SPAN
style="FONT-SIZE: 12pt; COLOR: maroon; FONT-FAMILY: 'Comic Sans MS'">Michael
Feeny<O:P></O:P></SPAN></FONT></P>
<P style="MARGIN: 0in 0in 0pt"><FONT face="Comic Sans MS" color=maroon
size=3><SPAN
style="FONT-SIZE: 12pt; COLOR: maroon; FONT-FAMILY: 'Comic Sans MS'">TDDS
Application Integration Management<O:P></O:P></SPAN></FONT></P>
<P style="MARGIN: 0in 0in 0pt"><FONT face="Comic Sans MS" color=maroon
size=3><SPAN
style="FONT-SIZE: 12pt; COLOR: maroon; FONT-FAMILY: 'Comic Sans MS'">609-274-2761
(Office)<O:P></O:P></SPAN></FONT></P>
<P style="MARGIN: 0in 0in 0pt"><FONT face="Comic Sans MS" color=maroon
size=3><SPAN
style="FONT-SIZE: 12pt; COLOR: maroon; FONT-FAMILY: 'Comic Sans MS'">484-995-1745
(</SPAN></FONT><FONT face="Comic Sans MS"><SPAN
style="FONT-FAMILY: 'Comic Sans MS'"><NS1:CITY
w:endInsDate="2006-04-06T11:36:00Z" w:endInsAuthor="mfeeny1"
w:insDate="2006-04-06T11:36:00Z" w:insAuthor="mfeeny1"><NS1:PLACE
w:endInsDate="2006-04-06T11:36:00Z" w:endInsAuthor="mfeeny1"
w:insDate="2006-04-06T11:36:00Z" w:insAuthor="mfeeny1"><ST1:CITY
w:st="on"><ST1:PLACE w:st="on"><FONT color=maroon><SPAN
style="COLOR: maroon">Mobile</SPAN></FONT></ST1:PLACE></ST1:CITY></NS1:PLACE></NS1:CITY><FONT
color=maroon><SPAN
style="COLOR: maroon">)<O:P></O:P></SPAN></FONT></SPAN></FONT></P>
<P style="MARGIN: 0in 0in 0pt"><FONT face="Comic Sans MS" color=maroon
size=3><SPAN
style="FONT-SIZE: 12pt; COLOR: maroon; FONT-FAMILY: 'Comic Sans MS'">1-888-MERRIL0
(Page)<O:P></O:P></SPAN></FONT></P>
<P style="MARGIN: 0in 0in 0pt"><FONT face="Comic Sans MS" color=maroon
size=3><SPAN
style="FONT-SIZE: 12pt; COLOR: maroon; FONT-FAMILY: 'Comic Sans MS'">feenyman99
(AIM)</SPAN></FONT><O:P></O:P></P>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN
style="FONT-SIZE: 12pt"><O:P></O:P></SPAN></FONT></P></DIV></DIV>
<DIV>
<HR color=gray>
</DIV>
<DIV>If you are not an intended recipient of this e-mail, please notify the
sender, delete it and do not read, act upon, print, disclose, copy, retain or
redistribute it. <A href="http://www.ml.com/email_terms/">Click here </A>for
important additional terms relating to this e-mail. <A
href="http://www.ml.com/email_terms/">http://www.ml.com/email_terms/</A></DIV>
<DIV>
<HR color=gray>
</DIV>
<P>
<HR>
<P></P>_______________________________________________<BR>Winpcap-users
mailing
list<BR>Winpcap-users@winpcap.org<BR>https://www.winpcap.org/mailman/listinfo/winpcap-users<BR></BLOCKQUOTE></BODY></HTML>