OK, so I set
HKLM\System\CurrentControlSet\Services\NPF\TimestampMode to '2'
and rebooted ...
after a couple days of run time, WinPCap's idea of time has drifted ~30s
away from system time.
I've searched on "Gianluca Varenni" + timestamp + drift + winpcap and
done some reading ... sounds like keeping track of time is difficult ...
but Gianluca believes that setting TimestampMode to '2' would help,
though perhaps not fix the issue.
Let me turn this around. Is anyone running long duration captures using
WinPCap and seeing absolute time in .pcap files stay synced with system
time? If this is defeating everyone, then I'll live with it for a
while... but if someone is seeing success, then I want to poke more.
[Is this something that the Cace Turbocap cards solve? Or do they
instead provide accurate inter-packet timestamps but are also at the
mercy of WinPCap for absolute time?]
Intel Core i7CPU 950
Win7 64 bit
WinPCap 4.1.2
--sk
On 4/7/2012 5:41 AM, Stuart Kendrick wrote:
Thanx for the detail Guy, including helping me distinguish between the
role libpcap plays and the role Wireshark plays
I've updated registries on my flock of sniffers, will test its
effectiveness next week (give libpcap a few days to drift its sense of
time) and will report back.
--sk
Or, more generally and accurately, "packet timestamp times, as supplied by WinPcap, may drift from the system time". Those are the time stamps that get written to pcap and pcap-ng files by tcpdump/WinDump, dumpcap, etc..
"The method used by the driver to timestamp packets can now be changed without recompiling the driver, modifying a registry key:
HKLM\System\CurrentControlSet\Services\NPF\TimestampMode
P
___________________________________________________________________________
Sent via: Wireshark-users mailing list<wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
