Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Ethereal-users: [Ethereal-users] Timestamps "jump back" by ~13 seconds

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Feeny, Michael (TD&DS, Applications Infrastructure Svcs.)" <michael_feeny@xxxxxx>
Date: Fri, 7 Apr 2006 08:25:30 -0400

Hi all…

 

I posted this to the Winpcap-users forum, but I have not gotten a response yet.  Perhaps someone here has some experience or insight…

 

I used Ethereal (0.10.14) to capture packets yesterday (Winpcap version 3.1).  When I open the resultant Ethereal file, I notice that about every 5 or 10 packets, the timestamp is roughly 13 seconds earlier than that of the previous packet. 

 

Looking more closely, I see a clump of packets with timestamps that increase normally, then a clump that are 13 seconds earlier (but whose timestamps also increase normally), then a clump that are 13 seconds later (lining up with the 1st clump), then a 13-seconds-earlier clump, etc., etc., etc.

 

I’m probably not explaining this well L.  Here is a sample of the timestamps – this should make it clearer…

 

14:26:35.475498

14:26:35.475604

14:26:35.475632

14:26:49.087976            (Jumps ahead ~13.5 seconds)

14:26:49.132457

14:26:49.132573

14:26:49.132604

14:26:49.134084

14:26:35.525248            (Jumps back ~13.5 seconds)

14:26:35.525376

14:26:35.525567

14:26:49.283965            (Jumps ahead ~13.5 seconds)

14:26:49.882512

14:26:49.882613

14:26:49.882645

… this pattern continues forever and ever (or, at least for the 35 minutes of the capture)

 

Has anyone seen this?  Any ideas?

 

If I understand how Winpcap works (that’s a big “IF”), Winpcap grabs the packet, applies a timestamp using the system clock, passes it to Ethereal, who gives it the next frame number and adds it to the packet set, and waits for the next packet.  So, how these timestamps are showing this behavior has got me good and puzzled J.

 

ADDITIONAL INFO

OS:      MS Windows 2000 SP2

Proc:    x86 Family 6 Model 8 Stepping 3

NIC:      Compaq NC3163 Fast Ethernet NIC 

Thx much,

Michael

 

Michael Feeny

TDDS Application Integration Management

609-274-2761 (Office)

484-995-1745 (Mobile)

1-888-MERRIL0 (Page)

feenyman99 (AIM)

 

If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Click here for important additional terms relating to this e-mail.     http://www.ml.com/email_terms/

Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube