<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<STYLE>.hmmessage P {
        PADDING-RIGHT: 0px; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-TOP: 0px
}
BODY.hmmessage {
        FONT-SIZE: 10pt; FONT-FAMILY: Verdana
}
</STYLE>
<META content="MSHTML 6.00.2900.5726" name=GENERATOR></HEAD>
<BODY class=hmmessage bgColor=#ffffff>
<DIV><FONT face="Courier New">There is no way to do that directly. </FONT></DIV>
<DIV><FONT face="Courier New"></FONT> </DIV>
<DIV><FONT face="Courier New">A way to do that is to create some custom
application that periodically takes the values for QueryPerformanceCounter and
QuerySystemTime, and then massages the timestamps interpolating the
values.</FONT></DIV>
<DIV><FONT face="Courier New"></FONT> </DIV>
<DIV><FONT face="Courier New">Also, if you close the winpcap instance
(pcap_close) and there are *no* other capture instances on the system, the
QueryPerformanceCounter value is re-synchronized.</FONT></DIV>
<DIV><FONT face="Courier New"></FONT> </DIV>
<DIV><FONT face="Courier New">Finally, you can create files every
hour, and between each file close the winpcap instance, stop the winpcap driver
and restart it (so that the value is latched again).</FONT></DIV>
<DIV><FONT face="Courier New"></FONT> </DIV>
<DIV><FONT face="Courier New">Have a nice day</FONT></DIV>
<DIV><FONT face="Courier New">GV</FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=nico_de_moor@hotmail.com href="mailto:nico_de_moor@hotmail.com">nico
de moor</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=winpcap-users@winpcap.org
href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Friday, December 18, 2009 7:21
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> [Winpcap-users] Dumpcap
timestampdiscrepancy after extended period of time</DIV>
<DIV><FONT face="Courier New"></FONT><FONT face="Courier New"></FONT><FONT
face="Courier New"></FONT><BR></DIV>Hi,<BR><BR>We have several trace PC's
(synchronized with NTP server) which are continuously capturing packets in our
VOIP network, when we need to analyze a call we filter out these calls and
want to merged them chronologically but the timestamps in the files do not
match when the traces are running for an extended period of time due to the
timestamp mode set to 'generated through KeQueryPerformanceCounter' - when we
change the timestamp mode setting to 'generated through KeQuerySystemTime' the
time is correct but due to the high amount of traffic in our network we have
lots of packets with the same time stamp which is also not workable.<BR><BR>Is
it possible to have the timestamp generated through PerformanceCounter but
periodically updated (e.g. with creation of new file or once every hour) with
the system time?<BR><BR>Br. Nico
<BR><BR><BR>-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------<BR><PRE>>From: <A href="https://www.winpcap.org/mailman/listinfo/winpcap-users">winpcap-users-bounces at winpcap.org</A> [<A href="https://www.winpcap.org/mailman/listinfo/winpcap-users">winpcap-users-bounces at winpcap.org</A>] On Behalf Of Gianluca Varenni [<A href="https://www.winpcap.org/mailman/listinfo/winpcap-users">gianluca.varenni at cacetech.com</A>]<BR>>Sent: Thursday, April 16, 2009 15:03<BR>>To: <A href="https://www.winpcap.org/mailman/listinfo/winpcap-users">winpcap-users at winpcap.org</A><BR>>Subject: Re: [Winpcap-users] FW: [Wireshark-users] FW: Dumpcap timestampdiscrepancy<BR>><BR>>What happens is that the WinPcap driver synchronizes with the system clock<BR>>when you start the capture, and then uses the timestamps returned by<BR>>KeQueryPerformanceCounter, which represent the number of 100ns ticks since<BR>>boot time. Such clock doesn't get resynchronized when your machine<BR>>synchronizes its clock on the network with NTP or similar systems.<BR>><BR>>If you accept a timestamp precision in the order of some milliseconds, the<BR>>workaround is to switch the timestamping mode to the system time, which has<BR>>a granularity in the order of 10-15milliseconds.<BR>><BR>>This can be done by modifying a registry key:<BR>> HKLM\System\CurrentControlSet\Services\NPF\TimestampMode<BR>> Possible values are<BR>> * 0 (default) -> Timestamps generated through KeQueryPerformanceCounter,<BR>> less reliable on SMP/HyperThreading machines,<BR>> precision = some microseconds<BR>> * 2 -> Timestamps generated through KeQuerySystemTime,<BR>> more reliable on SMP/HyperThreading machines,<BR>> precision = scheduling quantum (10/15 ms)<BR>> * 3 -> Timestamps generated through the i386 instruction RDTSC,<BR>> less reliable on SMP/HyperThreading/SpeedStep machines,<BR>> precision = some microseconds<BR>><BR>>After that you need to restart the npf service (or reboot your machine).<BR>><BR>>Have a nice day<BR>>GV<BR><BR><BR>----- Original Message -----<BR>From: "Phil Paradis" <<A href="https://www.winpcap.org/mailman/listinfo/winpcap-users">Phil.Paradis at unitedtote.com</A>><BR>To: <<A href="https://www.winpcap.org/mailman/listinfo/winpcap-users">winpcap-users at winpcap.org</A>><BR>Sent: Wednesday, April 15, 2009 11:58 PM<BR>Subject: [Winpcap-users] FW: [Wireshark-users] FW: Dumpcap<BR>timestampdiscrepancy<BR><BR><BR>><I>I was referred here from the wireshark-users list; here's the original<BR></I>><I>post:<BR></I>><I><BR></I>><I> Phil Paradis wrote:<BR></I>>><I> We have a sniffer running continuously in one of our facilities,<BR></I>>><I> capturing<BR></I>>><I> data to/from a specific system. The box is running Windows XP Pro (SP-3)<BR></I>>><I> and<BR></I>>><I> dumpcap is running as a service using srvany.exe. The clock on this<BR></I>>><I> system is<BR></I>>><I> synchronized with the rest of the hosts on this network.<BR></I>>><I><BR></I>>><I> When left running for an extended period of time (weeks/months) it seems<BR></I>>><I> the<BR></I>>><I> timestamps recorded in our captures slowly drift backwards. The timestamp<BR></I>>><I> recorded in the filename as each new file is created matches the system<BR></I>>><I> time<BR></I>>><I> relatively well (from observation; i.e. when BAT_99717_20090415222212.cap<BR></I>>><I> was<BR></I>>><I> created, the system clock showed 10:22 PM.) however the packet timestamps<BR></I>>><I> within the file are off by a significant amount. (In this particular<BR></I>>><I> example,<BR></I>>><I> the first packet in the file has a timestamp of 22:16:18, nearly 6<BR></I>>><I> minutes<BR></I>>><I> earlier than when the file was opened.)<BR></I>>><I><BR></I>>><I> Stopping and restarting the service seems to correct this; after a<BR></I>>><I> restart,<BR></I>>><I> the first packet in the new file had a timestamp closely matching the<BR></I>>><I> timestamp in the filename (and the system time.)<BR></I>>><I><BR></I>>><I> What documentation I can find seems to indicate that WinPCap obtains the<BR></I>>><I> timestamp from the system as packets are received; since the system<BR></I>>><I> itself<BR></I>>><I> reflects the correct time, the discrepancy we are seeing strikes me as<BR></I>>><I> rather<BR></I>>><I> odd. Has anyone else seen this or know what could cause it?<BR></I>>><I><BR></I>>><I> The command line used to start Dumpcap from SrvAny is:<BR></I>>><I><BR></I>>><I> -i \Device\NPF_{ABF2B612-CEAA-46CE-BEEB-D401F37BAEFF} -B 8 -b<BR></I>>><I> filesize:5000<BR></I>>><I> -b files:5000 -w c:\sniff\BAT.cap<BR></I>>><I><BR></I>>><I> The version of Wireshark we are using is 1.0.0, with WinPcap 4.0.2. (Yes,<BR></I>>><I> I<BR></I>>><I> know it's old. We can easily update to the latest version, but I figured<BR></I>>><I> I'd<BR></I>>><I> ask anyway in case anyone knows of a different cause for this issue.)<BR></I>>><I><BR></I>>><I> Thanks,<BR></I>>><I><BR></I>>><I> -- Phil</I></PRE><A
href="https://www.winpcap.org/mailman/listinfo/winpcap-users"><BR></A><BR>
<HR>
Express yourself instantly with MSN Messenger! <A
href="http://clk.atdmt.com/AVE/go/onm00200471ave/direct/01/" target=_new>MSN
Messenger</A>
<P>
<HR>
<P></P>_______________________________________________<BR>Winpcap-users
mailing
list<BR>Winpcap-users@winpcap.org<BR>https://www.winpcap.org/mailman/listinfo/winpcap-users<BR></BLOCKQUOTE></BODY></HTML>