[Winpcap-users] time drift / Windows
Stuart Kendrick
skendric at fhcrc.org
Thu Apr 12 13:00:43 PDT 2012
So, I have a rough grasp of the trade-offs involved in WinPCap's concept
of time, mostly from googling for "winpcap, time drift, gianluca
verenni" and reading the result ... this is an issue which has appeared
on various lists across the last decade or so ... and at root involves
some stickiness in the options which Windows offers for tracking time
http://seclists.org/wireshark/2012/Apr/85
http://seclists.org/wireshark/2010/Aug/311
As far as I can tell, twinking with the Registry as below doesn't help
-- time still drifts (~30 seconds after two days, in the one test I've
run), even with TimestampMode set to '2'
Does anyone believe differently? i.e. is anyone successfully running
NPF across multiple days with Winpcap time synced to system time within
a second or so?
HKLM\System\CurrentControlSet\Services\NPF\TimestampMode
Possible values are
0 (default) -> Timestamps generated through KeQueryPerformanceCounter, less
reliable on SMP/HyperThreading machines, precision = some microseconds
2 -> Timestamps generated through KeQuerySystemTime, more reliable on
SMP/HyperThreading machines, precision = scheduling quantum (10/15 ms)
3 -> Timestamps generated through the i386 instruction RDTSC, less reliable
on SMP/HyperThreading/SpeedStep machines, precision = some microseconds
Winpcap 4.1.2
Win7 Enterprise 64 bit
Wireshark 1.7.1
--sk
Stuart Kendrick
FHCRC
More information about the Winpcap-users
mailing list