<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Comic Sans MS";
panose-1:3 15 7 2 3 3 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
tt
{mso-style-priority:99;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=white lang=EN-US link=blue vlink=purple>
<div class=WordSection1>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'>If you are time-stamping the packets yourself you need to calculate
a delta between <i>your</i> timestamp and WinPCap’s timestamp, and then adjust
your timestamp accordingly. Otherwise the two of you, over time, will become
further and further out of sync from one another due to the operating system’s
adjustment to the value returned by GetSystemTime (which is <i>exactly</i> the
behavior you claim you are currently experiencing).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Bottom line: the problem is likely with your time-stamping logic
(and/or how you are reporting it), and not with WinPCap.<o:p></o:p></span></p>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:7.5pt;font-family:"Arial","sans-serif"'>-- </span><span
style='color:#1F497D'><br>
</span><span style='font-size:13.5pt;font-family:"Arial","sans-serif"'>
"</span><b><span style='font-family:"Arial","sans-serif";color:green'>Fish</span></b><span
style='font-size:13.5pt;font-family:"Arial","sans-serif"'>"</span><span
style='font-size:10.0pt;font-family:"Arial","sans-serif"'> (</span><span
style='font-size:10.0pt;font-family:"Comic Sans MS";color:purple'>David B.
Trout</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>)</span><span style='color:#1F497D'> <br>
</span><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";
color:#1F497D'> </span><span style='color:#1F497D'> </span><u><span
style='font-size:10.0pt;font-family:"Arial","sans-serif";color:blue'>fish@softdevlabs.com</span></u><span
style='color:#1F497D'><o:p></o:p></span></p>
</div>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:
"Tahoma","sans-serif";color:windowtext'> winpcap-users-bounces@winpcap.org
[mailto:winpcap-users-bounces@winpcap.org] <b>On Behalf Of </b>Helmut
Vaupotitsch<br>
<b>Sent:</b> Tuesday, September 14, 2010 9:18 AM<br>
<b>To:</b> winpcap-users@winpcap.org<br>
<b>Subject:</b> [Winpcap-users] timestamping and huge latency<br>
<b>Importance:</b> High<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><tt><span style='font-size:10.0pt'>Hi Gianluca and all
others,</span></tt><span style='font-size:10.0pt;font-family:"Courier New"'><br>
<br>
<tt>I am facing a major latency problem on *long lasting* capture sessions
which maybe </tt><br>
<tt>has to do with timestamping by the driver, every hint to solve it is
appreciated:</tt><br>
<br>
<tt>We developed a proprietary protocol to configure, manage and monitor </tt><br>
<tt>our self-developed hardware, the config software uses WinPCap to capture
and send raw packets.</tt><br>
<br>
<tt>Everything is working fine, but after some days of continuous capturing i
face:</tt><br>
<tt>- On some machines, the latency between sending requests and receiving the
answer </tt><br>
<tt> increases to some seconds (can be up to >30 secs after capturing
for a week!)</tt><br>
<tt>Closing and re-opening the driver would solve the problem, but i definitely
need to capture</tt><br>
<tt>for months and longer without interrupt!</tt><br>
<br>
<tt>I know that the driver timestamp is drifting apart from the System
Time(which can be</tt><br>
<tt>synchronized by e.g. a NTP server), therefore i timestamp the frames my
myself(which </tt><br>
<tt>is also important if a use timeouts)</tt><br>
<br>
<tt><b>My question is:</b></tt><b><br>
<tt>What could be the reason(s) for huge latency on long lasting captures?</tt><br>
</b><tt>I know that the latency increases on receiving packets</tt><br>
<tt>Currently i don´t know if sending´s latency also increases</tt><br>
<tt>Maybe it has something to do with the GetSystemTimeAdjustment setting?</tt><br>
</span><br>
<span style='font-size:10.0pt;font-family:"Courier New"'><br>
<tt>Thanks for reading</tt><br>
<br>
<tt>Best regards from Austria</tt><br>
<tt>Helmut</tt><br>
<br>
</span><br>
Gianluca Varenni schrieb: <o:p></o:p></p>
<pre>The return value of QuerySystemTime and QueryPerformanceCounter is <o:p></o:p></pre><pre>synchronized at the beginning of the capture (to compute the offset between <o:p></o:p></pre><pre>epoch time and QueryPerformanceCounter), and then the counter and frequency <o:p></o:p></pre><pre>returned by QPC are used to compute the number of seconds (and microseconds) <o:p></o:p></pre><pre>and added to the offset.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>The timestamping code is available in the source code of WinPcap, <o:p></o:p></pre><pre>winpcap\packetntx\driver\time_calls.h<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Have a nice day<o:p></o:p></pre><pre>GV<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>--------------------------------------------------<o:p></o:p></pre><pre>From: "Jan Martinec" <a
href="mailto:martij12@fel.cvut.cz"><martij12@fel.cvut.cz></a><o:p></o:p></pre><pre>Sent: Tuesday, September 14, 2010 7:23 AM<o:p></o:p></pre><pre>To: <a
href="mailto:winpcap-users@winpcap.org"><winpcap-users@winpcap.org></a><o:p></o:p></pre><pre>Subject: [Winpcap-users] timestamp<o:p></o:p></pre><pre><o:p> </o:p></pre><pre> <o:p></o:p></pre>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre>Hello!<o:p></o:p></pre><pre>I've got a question about timestamping method. I know that a timestamp<o:p></o:p></pre><pre>is got using method QueryPerformanceCounter (resp.<o:p></o:p></pre><pre>keQueryPerformanceCounter), which is a number of ticks of Performance<o:p></o:p></pre><pre>counter. But timestamp is by Winpcap returned in "Seconds since Epoch"<o:p></o:p></pre><pre>format. So how is the recomputation done?<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Thank you very much<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Best regards,<o:p></o:p></pre><pre>Jan Martinec<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>_______________________________________________<o:p></o:p></pre><pre>Winpcap-users mailing list<o:p></o:p></pre><pre><a
href="mailto:Winpcap-users@winpcap.org">Winpcap-users@winpcap.org</a><o:p></o:p></pre><pre><a
href="https://www.winpcap.org/mailman/listinfo/winpcap-users">https://www.winpcap.org/mailman/listinfo/winpcap-users</a> <o:p></o:p></pre><pre> <o:p></o:p></pre></blockquote>
<pre><o:p> </o:p></pre><pre>_______________________________________________<o:p></o:p></pre><pre>Winpcap-users mailing list<o:p></o:p></pre><pre><a
href="mailto:Winpcap-users@winpcap.org">Winpcap-users@winpcap.org</a><o:p></o:p></pre><pre><a
href="https://www.winpcap.org/mailman/listinfo/winpcap-users">https://www.winpcap.org/mailman/listinfo/winpcap-users</a><o:p></o:p></pre><pre><o:p> </o:p></pre><pre> <o:p></o:p></pre>
<p class=MsoNormal><br>
<br>
<o:p></o:p></p>
<pre>-- <o:p></o:p></pre><pre>----------------------------------------------------------------<o:p></o:p></pre><pre>Ing. Helmut Vaupotitsch Phone: +43 (0)3133 3780 16<o:p></o:p></pre><pre>ITEC Tontechnik und Fax: +43 (0)3133 3780 9<o:p></o:p></pre><pre>Industrieelektronik GmbH E-mail: <a
href="mailto:hv@itec-audio.com">hv@itec-audio.com</a><o:p></o:p></pre><pre>A-8200 Lassnitzthal 300 URL: <a
href="http://www.itec-audio.com">http://www.itec-audio.com</a><o:p></o:p></pre><pre>----------------------------------------------------------------<o:p></o:p></pre></div>
</div>
</body>
</html>