Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-users: [Wireshark-users] Timing questions

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Bond, Peter" <PBond@xxxxxxxxxxxxxx>
Date: Fri, 27 Feb 2009 16:17:20 -0000

Hi all –

 

We’re seeing some slightly strange behaviours out of Wireshark in certain situations; the system in question has both a Realtek network card & a DekTec card.

 

  1. Capturing under Windows on either card, there are negative (absolute, not relative) timestamps crop up periodically throughout the trace.  Reading around, there seemed to be an incompatibility between an older version of WinPcap and a newer version of Wireshark; this does not appear to be the problem here (bundled install).  Running a Linux version (from a LiveCD), the problem disappears with the Realtek card; I have not yet built a LiveCD with the DekTec drivers to be able to test that case.  I’ve seen some suggestions that the packet forwarding to the WinPcap driver under Windows are a little indeterminate, is this the likely culprit?

 

  1. The packets being transmitted have a defined period between them (about 1ms), yet at the start of every capture, the delta is in the order of 1us instead.  My best guess is that the Realtek card buffer is being flushed to the pcap driver initially…?  Since the interface is in promiscuous mode before the capture starts, I’m not sure that the assumption is valid.

 

My suspicion is that for absolute timing tests of this nature, we really ought to be using a lower-level network analyser to keep the vagaries of the OS out of the way. 

 

All comments gratefully received.

 

Peter Bond

 

**********************************************************************

This communication is confidential and intended solely for the 
addressee(s). Any unauthorized review, use, disclosure or distribution
is prohibited. If you believe this message has been sent to you in 
error, please notify the sender by replying to this transmission and 
delete the message without disclosing it. Thank you.

E-mail including attachments is susceptible to data corruption, 
interception, unauthorized amendment, tampering and viruses, and we 
only send and receive e-mails on the basis that we are not liable for 
any such corruption, interception, amendment, tampering or viruses or 
any consequences thereof.

This email, its content and any attachments is PRIVATE AND 
CONFIDENTIAL to TANDBERG Television, Part of the Ericsson Group. 

www.tandbergtv.com
**********************************************************************
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube