<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=koi8-r">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<base href="x-msg://1/">
<style>
<!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:Consolas;
        panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
        {font-family:"Geneva CY";
        panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:"Comic Sans MS";
        panose-1:3 15 7 2 3 3 2 2 2 4;}
@font-face
        {font-family:Verdana;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML Preformatted Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New";}
span.apple-style-span
        {mso-style-name:apple-style-span;}
span.apple-converted-space
        {mso-style-name:apple-converted-space;}
span.HTMLPreformattedChar
        {mso-style-name:"HTML Preformatted Char";
        mso-style-priority:99;
        mso-style-link:"HTML Preformatted";
        font-family:Consolas;}
span.preprocessor
        {mso-style-name:preprocessor;}
span.keywordtype
        {mso-style-name:keywordtype;}
span.comment
        {mso-style-name:comment;}
span.keywordflow
        {mso-style-name:keywordflow;}
span.stringliteral
        {mso-style-name:stringliteral;}
span.EmailStyle26
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple style='word-wrap: break-word;
-webkit-nbsp-mode: space;-webkit-line-break: after-white-space'>
<div class=WordSection1>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'>You’re welcome.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'>As to your problem there might not be anything you can do about
it. Then again however, there <i>might</i> be some things you can do to reduce
the effect. Things like using Windows 7 (with its Timer Coalescing feature) instead
of Windows XP. Disabling “SpeedStep” if your system supports it (so
as to increase the accuracy of QueryPerformanceCounter which is what WinPCap
uses to timestamp all its received packets with). You should also check to make
sure you have the latest BIOS version installed too.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I doubt šit will help any (esp. if you’re using Windows 7
with its Timer Coalescing feature), BUT... you might try using š“timeBeginPeriod”
and “timeEndPeriod”, which I’ve heard sometimes increases the
accuracy of Windows’s timers.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Finally, many (if not all) of the issues listed in my post to yulou
liu ("About the packets loss, what is the bottleneck?") quite likely apply
in your case too. That is to say, if you’re doing using older
single-processor hardware using an older version of Windows, etc, then it’s
hardly surprising that the timestamps are inconsistent from one another.
Windows can only do one thing at a time with only one processor, and even with
multiple processors there are bottlenecks involved when you have unnecessary
services running and/or unnecessary applications running.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'>If you’re truly interested in obtaining the most accurate
timings possible I would use dedicated hardware specifically for that purpose (or
at the very least a real-time operating system and not a consumer level operating
system like Windows).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Describe your hardware and operating environment again?<o:p></o:p></span></p>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:7.5pt;font-family:"Arial","sans-serif";color:black'>-- </span><span
style='color:#1F497D'><br>
</span><span style='font-size:13.5pt;font-family:"Arial","sans-serif";
color:black'> "</span><b><span style='font-family:"Arial","sans-serif";
color:green'>Fish</span></b><span style='font-size:13.5pt;font-family:"Arial","sans-serif";
color:black'>"</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:black'> (</span><span style='font-size:10.0pt;font-family:"Comic Sans MS";
color:purple'>David B. Trout</span><span style='font-size:10.0pt;font-family:
"Arial","sans-serif";color:#1F497D'>)</span><span style='color:#1F497D'> <br>
</span><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";
color:#1F497D'> </span><span style='color:#1F497D'>š </span><u><span
style='font-size:10.0pt;font-family:"Arial","sans-serif";color:blue'>fish@softdevlabs.com</span></u><span
style='color:#1F497D'><o:p></o:p></span></p>
</div>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
winpcap-users-bounces@winpcap.org [mailto:winpcap-users-bounces@winpcap.org] <b>On
Behalf Of </b>Alimjan Kuramshin<br>
<b>Sent:</b> Sunday, September 19, 2010 5:46 AM<br>
<b>To:</b> winpcap-users@winpcap.org<br>
<b>Subject:</b> Re: [Winpcap-users] WinPCAP packets capture delay..<br>
<b>Importance:</b> High<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Hi, Devid! Maaany thanks for Your reply. NO, it's just an
example MAC's, actually i'm using hardware MAC's. And one more thing, my PC
(laptop) connected directly to the other PC (or custom device, it doesn't
mater i guess).. <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>Many thanks for Your attention, i've spend about 6-8 month
with this problem, and still no luck :(<o:p></o:p></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<div>
<p class=MsoNormal>19.09.2010, × 15:25, Fish (David B. Trout) ÎÁÐÉÓÁÌ(Á):<o:p></o:p></p>
</div>
<p class=MsoNormal><br>
<br>
<o:p></o:p></p>
<div>
<div>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'>FYI: be careful with the MAC address you choose.</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Any MAC address with the<span class=apple-converted-space> </span><u>0x01</u><span
class=apple-converted-space> </span>bit on in the<span
class=apple-converted-space> </span><u>first byte</u><span
class=apple-converted-space> </span>is considered an<span
class=apple-converted-space> </span><i><u>all-stations</u></i><span
class=apple-converted-space><u> </u></span><i><u>broadcast</u>.</i></span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Is that what you actually intended to do? Send 10,000
packets to ALL/every network adapter on your local network?? (if your
host has more than one network adapter on the same physical network segment then
they’ll<span class=apple-converted-space> </span><i>both</i><span
class=apple-converted-space> </span>receive every packet.)</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'>If you need a MAC address to test with, the IANNA has reserved
the range 00-00-5E-00-00-00 through 00-00-5E-FF-FF-FF just for that purpose.</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'>See the section “IANA ETHERNET ADDRESS BLOCK - UNICAST
USE” (about 0.75 of the way down the web page) in the following document:</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='text-indent:.5in'><span style='font-size:10.5pt;
font-family:"Calibri","sans-serif";color:#1F497D'> <a
href="http://www.iana.org/assignments/ethernet-numbers">http://www.iana.org/assignments/ethernet-numbers</a></span><o:p></o:p></p>
</div>
<div>
<div>
<p class=MsoNormal><span style='font-size:7.5pt;font-family:"Arial","sans-serif";
color:black'>--<span class=apple-converted-space> </span></span><span
style='color:#1F497D'><br>
</span><span style='font-size:13.5pt;font-family:"Arial","sans-serif";
color:black'> "</span><b><span style='font-family:"Arial","sans-serif";
color:green'>Fish</span></b><span style='font-size:13.5pt;font-family:"Arial","sans-serif";
color:black'>"</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:black'> (</span><span style='font-size:10.0pt;font-family:"Comic Sans MS";
color:purple'>David B. Trout</span><span style='font-size:10.0pt;font-family:
"Arial","sans-serif";color:#1F497D'>)</span><span class=apple-converted-space><span
style='color:#1F497D'> </span></span><span style='color:#1F497D'><br>
</span><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";
color:#1F497D'> </span><span style='color:#1F497D'> <span
class=apple-converted-space> </span></span><u><span style='font-size:10.0pt;
font-family:"Arial","sans-serif";color:blue'><a
href="mailto:fish@softdevlabs.com">fish@softdevlabs.com</a></span></u><o:p></o:p></p>
</div>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><o:p></o:p></p>
</div>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt;
border-width:initial;border-color:initial'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in;
border-width:initial;border-color:initial'>
<div>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
class=apple-converted-space><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> </span></span><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><a
href="mailto:winpcap-users-bounces@winpcap.org">winpcap-users-bounces@winpcap.org</a><span
class=apple-converted-space> </span>[mailto:winpcap-users-bounces@winpcap.org]<span
class=apple-converted-space> </span><b>On Behalf Of<span
class=apple-converted-space> </span></b>Alimjan Kuramshin<br>
<b>Sent:</b><span class=apple-converted-space> </span>Saturday, September
18, 2010 2:33 PM<br>
<b>To:</b><span class=apple-converted-space> </span><a
href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</a><br>
<b>Subject:</b><span class=apple-converted-space> </span>[Winpcap-users]
WinPCAP packets capture delay..<br>
<b>Importance:</b><span class=apple-converted-space> </span>High</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>Hello!<o:p></o:p></p>
</div>
<div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal>Gianluca, can u run this code on Your machine and running
the Wireshark save the log and send it to me, please..<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal>Is there any delays, i mean delays between the packets that
Wireshark (winpcap) capture?<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal>P.S. code from WinPcap documentation, sending packets, not
one, but 10000 (or 1000000)..<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
</div>
<div><pre><span class=preprocessor>#include <stdlib.h></span><o:p></o:p></pre><pre><span
class=preprocessor>#include <stdio.h></span><o:p></o:p></pre><pre> <o:p></o:p></pre><pre><span
class=preprocessor>#include <pcap.h></span><o:p></o:p></pre><pre> <o:p></o:p></pre><pre> <o:p></o:p></pre><pre><span
class=keywordtype>void</span> main(<span class=keywordtype>int</span> argc, <span
class=keywordtype>char</span> **argv)<o:p></o:p></pre><pre>{<o:p></o:p></pre><pre><a
href="http://www.winpcap.org/docs/docs_412/html/group__wpcap__def.html#ga4711d025f83503ce692efa5e45ec60a7"
title="Descriptor of an open capture instance. This structure is opaque to the user, that...">pcap_t</a> *fp;<o:p></o:p></pre><pre><span
class=keywordtype>char</span> errbuf[<a
href="http://www.winpcap.org/docs/docs_412/html/group__wpcap__def.html#gacd448353957d92c98fccc29e1fc8d927"
title="Size to use when allocating the buffer that contains the libpcap errors.">PCAP_ERRBUF_SIZE</a>];<o:p></o:p></pre><pre>u_char packet[100];<o:p></o:p></pre><pre><span
class=keywordtype>int</span> i;<o:p></o:p></pre><pre>volatile int n_pkts = 10000; // 1000000<o:p></o:p></pre><pre> <o:p></o:p></pre><pre> <span
class=comment>/* Check the validity of the command line */</span><o:p></o:p></pre><pre> <span
class=keywordflow>if</span> (argc != 2)<o:p></o:p></pre><pre> {<o:p></o:p></pre><pre> printf(<span
class=stringliteral>"usage: %s interface (e.g. 'rpcap://eth0')"</span>, argv[0]);<o:p></o:p></pre><pre> <span
class=keywordflow>return</span>;<o:p></o:p></pre><pre> }<o:p></o:p></pre><pre> <o:p></o:p></pre><pre> <span
class=comment>/* Open the output device */</span><o:p></o:p></pre><pre> <span
class=keywordflow>if</span> ( (fp= <a
href="http://www.winpcap.org/docs/docs_412/html/group__wpcapfunc.html#ga2b64c7b6490090d1d37088794f1f1791"
title="Open a generic source in order to capture / send (WinPcap only) traffic.">pcap_open</a>(argv[1], <span
class=comment>// name of the device</span><o:p></o:p></pre><pre> 65536, <span
class=comment>// portion of the packet to capture (only the first 100 bytes)</span><o:p></o:p></pre><pre> <a
href="http://www.winpcap.org/docs/docs_412/html/group__remote__open__flags.html#ga9134ce51a9a6a7d497c3dee5affdc3b9"
title="Defines if the adapter has to go in promiscuous mode.">PCAP_OPENFLAG_PROMISCUOUS</a>, <span
class=comment>// promiscuous mode</span><o:p></o:p></pre><pre> 1000, <span
class=comment>// read timeout</span><o:p></o:p></pre><pre> NULL, <span
class=comment>// authentication on the remote machine</span><o:p></o:p></pre><pre> errbuf <span
class=comment>// error buffer</span><o:p></o:p></pre><pre> ) ) == NULL)<o:p></o:p></pre><pre> {<o:p></o:p></pre><pre> fprintf(stderr,<span
class=stringliteral>"\nUnable to open the adapter. %s is not supported by WinPcap\n"</span>, argv[1]);<o:p></o:p></pre><pre> <span
class=keywordflow>return</span>;<o:p></o:p></pre><pre> }<o:p></o:p></pre><pre> <o:p></o:p></pre><pre> <span
class=comment>/* Supposing to be on ethernet, set mac destination to 1:1:1:1:1:1 */</span><o:p></o:p></pre><pre> packet[0]=1;<o:p></o:p></pre><pre> packet[1]=1;<o:p></o:p></pre><pre> packet[2]=1;<o:p></o:p></pre><pre> packet[3]=1;<o:p></o:p></pre><pre> packet[4]=1;<o:p></o:p></pre><pre> packet[5]=1;<o:p></o:p></pre><pre> <o:p></o:p></pre><pre> <span
class=comment>/* set mac source to 2:2:2:2:2:2 */</span><o:p></o:p></pre><pre> packet[6]=2;<o:p></o:p></pre><pre> packet[7]=2;<o:p></o:p></pre><pre> packet[8]=2;<o:p></o:p></pre><pre> packet[9]=2;<o:p></o:p></pre><pre> packet[10]=2;<o:p></o:p></pre><pre> packet[11]=2;<o:p></o:p></pre><pre> <o:p></o:p></pre><pre> <span
class=comment>/* Fill the rest of the packet */</span><o:p></o:p></pre><pre> <span
class=keywordflow>for</span>(i=12;i<100;i++)<o:p></o:p></pre><pre> {<o:p></o:p></pre><pre> packet[i]=(u_char)i;<o:p></o:p></pre><pre> }<o:p></o:p></pre><pre> <o:p></o:p></pre><pre> while (n_pkts--)<o:p></o:p></pre><pre> <span
class=comment>/* Send down the packet */</span><o:p></o:p></pre><pre> <span
class=keywordflow>if</span> (<a
href="http://www.winpcap.org/docs/docs_412/html/group__wpcapfunc.html#ga51dbda0f1ab9da2cfe49d657486d50b2"
title="Send a raw packet.">pcap_sendpacket</a>(fp, packet, 100 <span
class=comment>/* size */</span>) != 0)<o:p></o:p></pre><pre> {<o:p></o:p></pre><pre> fprintf(stderr,<span
class=stringliteral>"\nError sending the packet: %s\n"</span>, <a
href="http://www.winpcap.org/docs/docs_412/html/group__wpcapfunc.html#ga81305cb154e4497e95bbb9b708631a3a"
title="return the error text pertaining to the last pcap library error.">pcap_geterr</a>(fp));<o:p></o:p></pre><pre> <span
class=keywordflow>return</span>;<o:p></o:p></pre><pre> }<o:p></o:p></pre><pre> <o:p></o:p></pre><pre> <span
class=keywordflow>return</span>;<o:p></o:p></pre><pre>}<o:p></o:p></pre><pre>/* EOF */<o:p></o:p></pre><pre>Thanks, bye..<o:p></o:p></pre><pre> <o:p></o:p></pre>
<div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<p class=MsoNormal><span style='font-size:13.5pt;font-family:"Geneva CY","serif"'>_______________________________________________<br>
Winpcap-users mailing list<br>
<a href="mailto:Winpcap-users@winpcap.org">Winpcap-users@winpcap.org</a><br>
<a href="https://www.winpcap.org/mailman/listinfo/winpcap-users">https://www.winpcap.org/mailman/listinfo/winpcap-users</a><o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</body>
</html>