[Winpcap-users] Timestamps "jump back" by ~13 seconds

Feeny, Michael (TD&DS, Applications Infrastructure Svcs.) michael_feeny at ml.com
Thu Apr 6 16:16:23 GMT 2006 

Hi all...

 

I used Ethereal (very recent version) to capture packets yesterday.
When I open the resultant Ethereal file, I notice that about every 5 or
10 packets, the timestamp is roughly 13 seconds earlier than that of the
previous packet.  

 

Looking more closely, I see a clump of packets with timestamps that
increase normally, then a clump that are 13 seconds earlier (but whose
timestamps also increase normally), then a clump that are 13 seconds
later (lining up with the 1st clump), then a 13-seconds-earlier clump,
etc., etc., etc.

 

I'm probably not explaining this well :-(.  Here is a sample of the
timestamps - this should make it clearer...

 

14:26:35.475498

14:26:35.475604

14:26:35.475632

14:26:49.087976            (Jumps ahead ~13.5 seconds)

14:26:49.132457

14:26:49.132573

14:26:49.132604

14:26:49.134084

14:26:35.525248            (Jumps back ~13.5 seconds)

14:26:35.525376

14:26:35.525567

14:26:49.283965            (Jumps ahead ~13.5 seconds)

14:26:49.882512

14:26:49.882613

14:26:49.882645

... this pattern continues forever and ever (or, at least for the 35
minutes of the capture)

 

Has anyone seen this?  Any ideas?

 

If I understand how Winpcap works (that's a big "IF"), Winpcap grabs the
packet, applies a timestamp using the system clock, passes it to
Ethereal, who gives it the next frame number and adds it to the packet
set, and waits for the next packet.  So, how these timestamps are
showing this behavior has got me good and puzzled :-).

 

I'm waiting for Ethereal & Winpcap version info (I don't have direct
access to the collecting system), as well as NIC info, in case it's
relevant.  But I thought I'd post this now, in case there's an obvious
answer.

 

Thx much,

Michael

 

Michael Feeny

TDDS Application Integration Management

609-274-2761 (Office)

484-995-1745 (Mobile)

1-888-MERRIL0 (Page)

feenyman99 (AIM)
--------------------------------------------------------

If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Click here for important additional terms relating to this e-mail.     http://www.ml.com/email_terms/
--------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20060406/12697010/attachment.htm

More information about the Winpcap-users mailing list