[Winpcap-users] WinPCAP packets capture delay..

Gianluca Varenni gianluca.varenni at cacetech.com
Tue Sep 21 08:26:43 PDT 2010 

The WinPcap driver is not dispatched as a thread, at the end of the story it's mainly interrupt driven.

Have a nice day
GV


From: "Fish" (David B. Trout) 
Sent: Monday, September 20, 2010 7:49 PM
To: winpcap-users at winpcap.org 
Subject: Re: [Winpcap-users] WinPCAP packets capture delay..


Yes, you are correct. Adjusting "timeBeginPeriod" does not affect QueryPerformanceCounter, but since it does affect task dispatching (apparently) I thought setting it to a lower value might help to cause tasks (including the WinPCap device diver (NPF.sys)) to be dispatched more quickly (i.e. with less delay).

 

I have no idea what delay/precision Alimjan is referring to.

 

-- 
  "Fish"  (David B. Trout) 
    fish at softdevlabs.com

 

From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Gianluca Varenni
Sent: Monday, September 20, 2010 4:49 PM
To: winpcap-users at winpcap.org
Subject: Re: [Winpcap-users] WinPCAP packets capture delay..
Importance: High

 

Timer coalescing/timeBeginPeriod in practice change the scheduling quantum from 10-15ms (depending on the specific windows version) to around 1ms and does not affect QueryPerformanceCounter (which is not based on that timer).

 

What is the timestamp precision and delay that we are talking about?

 

Have a nice day

GV

 

From: "Fish" (David B. Trout) 

Sent: Sunday, September 19, 2010 5:06 PM

To: winpcap-users at winpcap.org 

Subject: Re: [Winpcap-users] WinPCAP packets capture delay..

 

You're welcome.

 

As to your problem there might not be anything you can do about it. Then again however, there might be some things you can do to reduce the effect. Things like using Windows 7 (with its Timer Coalescing feature) instead of Windows XP. Disabling "SpeedStep" if your system supports it (so as to increase the accuracy of QueryPerformanceCounter which is what WinPCap uses to timestamp all its received packets with). You should also check to make sure you have the latest BIOS version installed too.

 

I doubt  it will help any (esp. if you're using Windows 7 with its Timer Coalescing feature), BUT... you might try using  "timeBeginPeriod" and "timeEndPeriod", which I've heard sometimes increases the accuracy of Windows's timers.

 

Finally, many (if not all) of the issues listed in my post to yulou liu ("About the packets loss, what is the bottleneck?") quite likely apply in your case too. That is to say, if you're doing using older single-processor hardware using an older version of Windows, etc, then it's hardly surprising that the timestamps are inconsistent from one another. Windows can only do one thing at a time with only one processor, and even with multiple processors there are bottlenecks involved when you have unnecessary services running and/or unnecessary applications running.

 

If you're truly interested in obtaining the most accurate timings possible I would use dedicated hardware specifically for that purpose (or at the very least a real-time operating system and not a consumer level operating system like Windows).

 

Describe your hardware and operating environment again?

-- 
  "Fish"  (David B. Trout) 
    fish at softdevlabs.com

 

From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Alimjan Kuramshin
Sent: Sunday, September 19, 2010 5:46 AM
To: winpcap-users at winpcap.org
Subject: Re: [Winpcap-users] WinPCAP packets capture delay..
Importance: High

 

 

Hi, Devid! Maaany thanks for Your reply. NO, it's just an example MAC's, actually i'm using hardware MAC's. And one more thing, my PC (laptop) connected directly to the other PC (or custom device, it doesn't mater i guess).. 

Many thanks for Your attention, i've spend about 6-8 month with this problem, and still no luck :(

 

19.09.2010, в 15:25, Fish (David B. Trout) написал(а):

 

FYI: be careful with the MAC address you choose.

 

Any MAC address with the 0x01 bit on in the first byte is considered an all-stations broadcast.

 

Is that what you actually intended to do?  Send 10,000 packets to ALL/every network adapter on your local network??  (if your host has more than one network adapter on the same physical network segment then they'll both receive every packet.)

 

If you need a MAC address to test with, the IANNA has reserved the range 00-00-5E-00-00-00 through 00-00-5E-FF-FF-FF just for that purpose.

 

See the section "IANA ETHERNET ADDRESS BLOCK - UNICAST USE" (about 0.75 of the way down the web page) in the following document:

 

 http://www.iana.org/assignments/ethernet-numbers

-- 
  "Fish"  (David B. Trout) 
    fish at softdevlabs.com

 

From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Alimjan Kuramshin
Sent: Saturday, September 18, 2010 2:33 PM
To: winpcap-users at winpcap.org
Subject: [Winpcap-users] WinPCAP packets capture delay..
Importance: High

 

Hello!

 

Gianluca, can u run this code on Your machine and running the Wireshark save the log and send it to me, please..

Is there any delays, i mean delays between the packets that Wireshark (winpcap) capture?

 

P.S. code from WinPcap documentation, sending packets, not one, but 10000 (or 1000000)..

 

#include <stdlib.h>#include <stdio.h> #include <pcap.h>  void main(int argc, char **argv){pcap_t *fp;char errbuf[PCAP_ERRBUF_SIZE];u_char packet[100];int i;volatile int n_pkts = 10000; // 1000000     /* Check the validity of the command line */    if (argc != 2)    {        printf("usage: %s interface (e.g. 'rpcap://eth0')", argv[0]);        return;    }        /* Open the output device */    if ( (fp= pcap_open(argv[1],            // name of the device                        65536,                // portion of the packet to capture (only the first 100 bytes)                        PCAP_OPENFLAG_PROMISCUOUS,  // promiscuous mode                        1000,               // read timeout                        NULL,               // authentication on the remote machine                        errbuf              // error buffer                        ) ) == NULL)    {        fprintf(stderr,"\nUnable to open the adapter. %s is not supported by WinPcap\n", argv[1]);        return;    }     /* Supposing to be on ethernet, set mac destination to 1:1:1:1:1:1 */    packet[0]=1;    packet[1]=1;    packet[2]=1;    packet[3]=1;    packet[4]=1;    packet[5]=1;        /* set mac source to 2:2:2:2:2:2 */    packet[6]=2;    packet[7]=2;    packet[8]=2;    packet[9]=2;    packet[10]=2;    packet[11]=2;        /* Fill the rest of the packet */    for(i=12;i<100;i++)    {        packet[i]=(u_char)i;    }     while (n_pkts--)    /* Send down the packet */    if (pcap_sendpacket(fp, packet, 100 /* size */) != 0)    {        fprintf(stderr,"\nError sending the packet: %s\n", pcap_geterr(fp));        return;    }     return;}/* EOF */Thanks, bye..  

_______________________________________________
Winpcap-users mailing list
Winpcap-users at winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users

 


--------------------------------------------------------------------------------

_______________________________________________
Winpcap-users mailing list
Winpcap-users at winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users



--------------------------------------------------------------------------------


_______________________________________________
Winpcap-users mailing list
Winpcap-users at winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20100921/96a01333/attachment-0001.htm

More information about the Winpcap-users mailing list