Hi<br>I follow an advice in my previous question to see in the time_call.h how PCAP works.<br>Following is the code in the file.<br><br>As far as I understand, PCAP uses KeQuerySystemTime to get current system time.<br>And since it has to store in timeval, an EPOCH offset has to be applied.
<br>But I dont understand why PCAP has to substract PTime.QuadPart/TimeFreq.QuadPart out of SystemTime?<br><br>Why cant it just use SystemTime?<br>And if it subtract, wont it miss the "actual" time?<br><br>Another question is, I try to do exactly like this in my program.
<br>But instead of using KeQuerySystemTime and KeQueryPerformanceCounter, <br>I use GetSystemTimeAsFileTime and QueryPerformanceCounter respectively.<br>However, I couldnt get the same time as PCAP.<br>Why?<br><br>What I want to do is to send a packet with timestamp and compare the timestamp with pcap's time stamp.
<br>For this, I need to know precisely how PCAP gets its time.<br><br>Thanks a lot,<br>Isara<br><br>/* KeQueryPerformanceCounter TimeStamps */<br>__inline void SynchronizeOnCpu(struct timeval *start)<br>{<br>// struct timeval *start = (struct timeval*)Data;
<br><br> struct timeval tmp;<br> LARGE_INTEGER SystemTime;<br> LARGE_INTEGER i;<br> ULONG tmp2;<br> LARGE_INTEGER TimeFreq,PTime;<br><br> // get the absolute value of the system boot time. <br> <br>
PTime = KeQueryPerformanceCounter(&TimeFreq);<br> KeQuerySystemTime(&SystemTime);<br> <br> start->tv_sec = (LONG)(SystemTime.QuadPart/10000000-11644473600);<br><br> start->tv_usec = (LONG)((SystemTime.QuadPart%10000000
)/10);<br><br> start->tv_sec -= (ULONG)(PTime.QuadPart/TimeFreq.QuadPart);<br><br> start->tv_usec -= (LONG)((PTime.QuadPart%TimeFreq.QuadPart)*1000000/TimeFreq.QuadPart);<br><br> if (start->tv_usec < 0)
<br> {<br> start->tv_sec --;<br> start->tv_usec += 1000000;<br> }<br>} <br>