[Winpcap-users] How Pcap does the Timestamp?

[Isara Anantavrasilp]

Hi
I follow an advice in my previous question to see in the time_call.h how
PCAP works.
Following is the code in the file.

As far as I understand, PCAP uses KeQuerySystemTime to get current system
time.
And since it has to store in timeval, an EPOCH offset has to be applied.
But I dont understand why PCAP has to substract
PTime.QuadPart/TimeFreq.QuadPart
out of SystemTime?

Why cant it just use SystemTime?
And if it subtract, wont it miss the "actual" time?

Another question is, I try to do exactly like this in my program.
But instead of using  KeQuerySystemTime and KeQueryPerformanceCounter,
I use GetSystemTimeAsFileTime and QueryPerformanceCounter respectively.
However, I couldnt get the same time as PCAP.
Why?

What I want to do is to send a packet with timestamp and compare the
timestamp with pcap's time stamp.
For this, I need to know precisely how PCAP gets its time.

Thanks a lot,
Isara

/* KeQueryPerformanceCounter TimeStamps */
__inline void SynchronizeOnCpu(struct timeval *start)
{
//    struct timeval *start = (struct timeval*)Data;

    struct timeval tmp;
    LARGE_INTEGER SystemTime;
    LARGE_INTEGER i;
    ULONG tmp2;
    LARGE_INTEGER TimeFreq,PTime;

    // get the absolute value of the system boot time.

    PTime = KeQueryPerformanceCounter(&TimeFreq);
    KeQuerySystemTime(&SystemTime);

    start->tv_sec = (LONG)(SystemTime.QuadPart/10000000-11644473600);

    start->tv_usec = (LONG)((SystemTime.QuadPart%10000000)/10);

    start->tv_sec -= (ULONG)(PTime.QuadPart/TimeFreq.QuadPart);

    start->tv_usec -= (LONG)((PTime.QuadPart%TimeFreq.QuadPart
)*1000000/TimeFreq.QuadPart);

    if (start->tv_usec < 0)
    {
        start->tv_sec --;
        start->tv_usec += 1000000;
    }
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20060907/f2bc6f35/attachment.htm