<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:v =
"urn:schemas-microsoft-com:vml" xmlns:o =
"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word" xmlns:x =
"urn:schemas-microsoft-com:office:excel" xmlns:p =
"urn:schemas-microsoft-com:office:powerpoint" xmlns:a =
"urn:schemas-microsoft-com:office:access" xmlns:dt =
"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s =
"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs =
"urn:schemas-microsoft-com:rowset" xmlns:z = "#RowsetSchema" xmlns:b =
"urn:schemas-microsoft-com:office:publisher" xmlns:ss =
"urn:schemas-microsoft-com:office:spreadsheet" xmlns:c =
"urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:oa =
"urn:schemas-microsoft-com:office:activation" xmlns:html =
"http://www.w3.org/TR/REC-html40" xmlns:q =
"http://schemas.xmlsoap.org/soap/envelope/" XMLNS:D = "DAV:" xmlns:x2 =
"http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ois =
"http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir =
"http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds =
"http://www.w3.org/2000/09/xmldsig#" xmlns:dsp =
"http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc =
"http://schemas.microsoft.com/data/udc" xmlns:xsd =
"http://www.w3.org/2001/XMLSchema" xmlns:sub =
"http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec =
"http://www.w3.org/2001/04/xmlenc#" xmlns:sp =
"http://schemas.microsoft.com/sharepoint/" xmlns:sps =
"http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi =
"http://www.w3.org/2001/XMLSchema-instance" xmlns:udcxf =
"http://schemas.microsoft.com/data/udc/xmlfile" xmlns:wf =
"http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:mver =
"http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m =
"http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels =
"http://schemas.openxmlformats.org/package/2006/relationships" xmlns:ex12t =
"http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m =
"http://schemas.microsoft.com/exchange/services/2006/messages" XMLNS:Z =
"urn:schemas-microsoft-com:"><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.16640" name=GENERATOR>
<STYLE>@font-face {
font-family: Calibri;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
LI.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
DIV.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.EmailStyle17 {
COLOR: windowtext; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-compose
}
.MsoChpDefault {
mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
</STYLE>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></HEAD>
<BODY lang=EN-US vLink=purple link=blue bgColor=#ffffff>
<DIV><FONT size=2></FONT> </DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=Alex.Foygel@tradingtechnologies.com
href="mailto:Alex.Foygel@tradingtechnologies.com">Alex Foygel (TT)</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=winpcap-users@winpcap.org
href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Monday, April 21, 2008 8:02
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> [Winpcap-users] Timestamp
accuracy question</DIV>
<DIV><FONT size=2></FONT><BR></DIV>
<DIV class=Section1>
<P class=MsoNormal>What is the <B>absolute</B> accuracy of the individual
packets’ timestamps? As far as I understand, the relative accuracy (one packet
relative to another packet captured within the same capture session) is 1
microsecond (aside from the issues with SMP, etc.).<o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>But the absolute accuracy, if I understand the code
correctly, seems to be in the order of milliseconds. The code (time_calls.h)
uses KeQuerySystemTime() to get the system time and to calculate the offset
between the system time and the high-resolution values returned by
KeQueryPerformanceCounter().<o:p></o:p></P>
<P class=MsoNormal><o:p><FONT face="Courier New"
size=2></FONT></o:p> </P>
<P class=MsoNormal>According to the documentation, even though
KeQuerySystemTime() returns the timestamps in 100 nanoseconds units, it’s
being updated once every 10 milliseconds. Thus, depending on when during the
10 ms cycle the Synchronize code ran, the offset calculated by the above
mentioned code can be up to 10 ms off.<o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>Is my interpretation of the code correct?</P>
<P class=MsoNormal><FONT face="Courier New"
size=2></FONT> </P></DIV></BLOCKQUOTE>
<P class=MsoNormal><FONT face="Courier New"><FONT
size=2><o:p>Yes.</o:p></FONT></FONT></P>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>A simple way of fixing this problem (if it’s a problem at
all) seems to be to run KeQuerySystemTime() in a tight loop until the value
returned changes (this should take at most 10 ms because that’s how often the
system time is updated) and then use the new value to calculate the offset. Am
I oversimplifying the problem?<o:p></o:p></P>
<P class=MsoNormal><o:p><FONT face="Courier New"
size=2></FONT></o:p> </P></BLOCKQUOTE>
<P class=MsoNormal><o:p><FONT face="Courier New" size=2>It could work. Please
consider that this is just the top of an iceberg. This would fix the 10ms issue,
but there are other factors that influence the absolute accuracy of timestamps.
In particular, KeQueryPerformanceTimer is not influenced by any time adjustment
made on the system clock (e.g. from an NTP server), it's a sort of free running
counter.</FONT></o:p></P>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>The reason I’m asking the question is because I’m trying to
understand whether I can compare the timestamps imbedded by my application in
my messages with the timestamps captured by winpcap, to check the time
it takes for my packets to get from the application code (through all the
layers, including the network stack) to the NDIS layer when it gets captured
by winpcap.<o:p></o:p></P></BLOCKQUOTE>
<P class=MsoNormal><o:p><FONT face="Courier New" size=2></FONT></o:p> </P>
<P class=MsoNormal><o:p><FONT face="Courier New" size=2>That can be a tough
problem. What is the exact scenario you are using? Are the transmitter and the
receiver on the same machine?</FONT></o:p></P>
<P class=MsoNormal><o:p><FONT face="Courier New" size=2></FONT></o:p> </P>
<P class=MsoNormal><o:p><FONT face="Courier New" size=2>Have a nice
day</FONT></o:p></P>
<P class=MsoNormal><o:p><FONT face="Courier New" size=2>GV</FONT></o:p></P>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>Thank you for your help,<o:p></o:p></P>
<P class=MsoNormal>Alex Foygel<o:p></o:p></P>
<P>
<HR>
<P></P>_______________________________________________<BR>Winpcap-users
mailing
list<BR>Winpcap-users@winpcap.org<BR>https://www.winpcap.org/mailman/listinfo/winpcap-users<BR></BLOCKQUOTE></BODY></HTML>