Let me start spending a few words on the precision of WinPcap
timestamps, since a similar question has been raised yesterday by Paula
Doyle.
Like every open source (and most commercial) packet capture systems,
WinPcap relies on the underlying OS infrastructure to get the raw
packets from the network (see
http://winpcap.polito.it/docs/man/html/index.html if you are interested
in basic details about the winpcap kernel-level architecture). This
means that the process is something like:
1. the NIC brings the packets to memory
2. the NIC driver acknowledges the NIC and disptches the packets to the
upper kernel levels (TCP/IP, WinPcap)
3. *winpcap timestamps the packets*
4. winpcap puts the packets into a buffer
5. winpcap moves the content of the buffer to user level when there's
enough packets in it
As you can clearly see:
- the precision of the timestamps is totally dependent on what happens
before. In particular, several NICs use techniques to minimize the
number of interrupts or transfer groups of packets instead than only
one. The same do most NIC drivers. As a result, especially with high
traffic volumes, you'll often see timestamps that don't reflect the real
traffic.
- since winpcap does buffering, the packets may be delivered to the
application much later than when they came to the host. There are ways
to minimize this (one of them is the timeout parameter of
pcap_open_live), but they of course trade responsiveness with a higher
CPU load.
My experience is: for low traffic rates, winpcap does a pretty good job,
and the timestamp error is normally under the ms. However, and
especially for high traffic rates, don't rely on a software-only capture
system if you need precise timestamps. And don't hope that other OSes
will solve the problem. In every case, always use the timestamp provided
by the capture system and never "take the time" after you receive the
packet: that way is going to be totally wrong.
Loris
Couderc, Francois wrote:
Hi,
I've looked at the archive but I haven't found anything so here is my
question.
My application uses winpcap to receive all ethernet traffic but I find
the library to be very slow. For example I do a ping to another
machine. The ping shows me a <1ms delay for reply. But in winpcap, the
delay between the ping request icmp message and the ping reply icmp
message is 300ms!! Is there a way to increase the speed of acquisition
of winpcap? I have the same result using Ethereal.
Thanks in advance for your help.
Frank
==================================================================
This is the WinPcap users list. It is archived at
http://www.mail-archive.com/winpcap-users@winpcap.polito.it/
To unsubscribe use
mailto: [EMAIL PROTECTED]
==================================================================