I believe you are looking at the timestamps of the packets in wireshark, not when wireshark actually receives the packets from the WinPcap library. They are different. WinPcap timestamps the packets in the driver as soon as they arrive, but for performance reasons, it can deliver them with a certain delay. Are you looking at the timestamps in Wireshark?
Have a nice day GV From: [email protected] [mailto:[email protected]] On Behalf Of Akif Usman Sent: Wednesday, March 16, 2011 2:22 AM To: [email protected] Subject: Re: [Winpcap-users] Winpcap-users Digest, Vol 72, Issue 8 Hi, The only thing that amazes me is Wireshark. Why is wireshark able to capture with such accuracy even if it uses winpcap. Is it possible to achieve accuracy if i used packet.h functions to receive and then pcap to send the packets. Anton have you tried that? BR > From: > [email protected]<mailto:[email protected]> > Subject: Winpcap-users Digest, Vol 72, Issue 8 > To: [email protected]<mailto:[email protected]> > Date: Wed, 16 Mar 2011 02:08:28 -0700 > > Send Winpcap-users mailing list submissions to > [email protected]<mailto:[email protected]> > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.winpcap.org/mailman/listinfo/winpcap-users > or, via email, send a message with subject or body 'help' to > [email protected]<mailto:[email protected]> > > You can reach the person managing the list at > [email protected]<mailto:[email protected]> > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Winpcap-users digest..." > > > Today's Topics: > > 1. Re: PPP capture (Gianluca Varenni) > 2. Re: Winpcap-users Digest, Vol 72, Issue 7 (Akif Usman) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 15 Mar 2011 13:59:25 -0700 > From: Gianluca Varenni > <[email protected]<mailto:[email protected]>> > To: Anton Tremsin <[email protected]<mailto:[email protected]>>, > "[email protected]<mailto:[email protected]>" > <[email protected]<mailto:[email protected]>> > Subject: Re: [Winpcap-users] PPP capture > Message-ID: > <6a8f2e88cff83c43a6aff7fac775b9fc0715174...@mailboxes2.nbttech.com<mailto:6a8f2e88cff83c43a6aff7fac775b9fc0715174...@mailboxes2.nbttech.com>> > Content-Type: text/plain; charset="us-ascii" > > Anton, > > If I remember well, you are capturing from Ethernet, Akif is capturing from > PPP. The code paths for the two types of devices are completely different > (Ethernet goes through the WinPcap kernel driver, PPP gets captured through > Netmon). > > Have a nice day > GV > > From: Anton Tremsin > [mailto:[email protected]]<mailto:[mailto:[email protected]]> > Sent: Monday, March 14, 2011 11:43 PM > To: [email protected]<mailto:[email protected]> > Cc: Gianluca Varenni > Subject: Re: [Winpcap-users] PPP capture > > Akif, Gianluca, > > As I mentioned in my previous messages, I have exactly the same problem of > delayed packages, with mintocopy set even to 0 (tried other values as well). > I am always sending a set of 64 packets of 8Kbytes each (that is one image > data). The packets are not lost, they always arrive. However, some of them > come with no delay (varied number of them, sometimes 62, sometimes 57, etc), > while the rest of them come exactly after the delay equal to the setting of > the timeout, which I varied between 1 and 10000 milliseconds. There is no > timeout reported for the packets to arrive with the delay. > > I will be very glad if that issue can be solved, which has probably the same > cause as in Akif's application. > > Thanks a lot, > > Anton > > Akif, > > This is probably due to the mintocopy and timeout of WinPcap. WinPcap does > not deliver you the packets immediately after they are received by the > driver. Packets are batched in kernel mode and delivered to the receiving > application when > > > There are at least mintocopy bytes in the kernel buffer > > After a certain timeout > (whatever happens first). > > In order to reduce the delay, you will need to either reduce the timeout or > the mintocopy. > > Have a nice day > GV > > From: > [email protected]<mailto:[email protected]<mailto:[email protected]%3cmailto:[email protected]>> > > [mailto:[email protected]]<mailto:[mailto:[email protected]]> > On Behalf Of Akif Usman > Sent: Thursday, March 10, 2011 11:20 AM > To: > [email protected]<mailto:[email protected]<mailto:[email protected]%3cmailto:[email protected]>> > Subject: [Winpcap-users] PPP capture > > HI, > > I have installed the winpcap version 3.1 beta and i am capturing from a PPP > interface and it captures perfectly. Now i am trying to capture from the same > PPP interface using my LIBPCAP program and forward it to another Ethernet > interface that connects further to a second computer (Ethernet NIC) which > also has wireshark running on it. When i capture from the second computer i > get a strange offset of 0.5 seconds after every x packets. This is very > strange. I dont know why wireshark is able to capture from PPP interface on > the first computer with proper accuracy and why my LIBPCAP program, which is > just forwarding the packets, is introducing a 0.5s [:-O] delay. Please help > me out as soon as somebody can. > > Best Regards > Fika > > > > > > _______________________________________________ > > Winpcap-users mailing list > > [email protected]<mailto:[email protected]<mailto:[email protected]%3cmailto:[email protected]>> > > https://www.winpcap.org/mailman/listinfo/winpcap-users > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <http://www.winpcap.org/pipermail/winpcap-users/attachments/20110315/7cb51127/attachment-0001.html> > > ------------------------------ > > Message: 2 > Date: Wed, 16 Mar 2011 10:08:25 +0100 > From: Akif Usman <[email protected]<mailto:[email protected]>> > To: <[email protected]<mailto:[email protected]>> > Subject: Re: [Winpcap-users] Winpcap-users Digest, Vol 72, Issue 7 > Message-ID: > <[email protected]<mailto:[email protected]>> > Content-Type: text/plain; charset="iso-8859-1" > > > HI, > There are some questiosn i need to ask. Why does wireshark give no delay upon > capture even though it uses Winpcap? > I am using windows xp for capture and i have checked the capture on ethernet > and there seems to be no problems at all from the capture on ethernet. I have > tried changing mintocopy and the timeout but it gives me no changes in the > performance? Any ideas why? > > BR > > > From: > > [email protected]<mailto:[email protected]> > > Subject: Winpcap-users Digest, Vol 72, Issue 7 > > To: [email protected]<mailto:[email protected]> > > Date: Tue, 15 Mar 2011 12:00:02 -0700 > > > > Send Winpcap-users mailing list submissions to > > [email protected]<mailto:[email protected]> > > > > To subscribe or unsubscribe via the World Wide Web, visit > > https://www.winpcap.org/mailman/listinfo/winpcap-users > > or, via email, send a message with subject or body 'help' to > > [email protected]<mailto:[email protected]> > > > > You can reach the person managing the list at > > [email protected]<mailto:[email protected]> > > > > When replying, please edit your Subject line so it is more specific > > than "Re: Contents of Winpcap-users digest..." > > > > > > Today's Topics: > > > > 1. Re: PPP capture (Gianluca Varenni) > > 2. Re: PPP capture (Anton Tremsin) > > > > > > ---------------------------------------------------------------------- > > > > Message: 1 > > Date: Mon, 14 Mar 2011 18:44:54 -0700 > > From: Gianluca Varenni > > <[email protected]<mailto:[email protected]>> > > To: "[email protected]<mailto:[email protected]>" > > <[email protected]<mailto:[email protected]>> > > Subject: Re: [Winpcap-users] PPP capture > > Message-ID: > > <6a8f2e88cff83c43a6aff7fac775b9fc0715173...@mailboxes2.nbttech.com<mailto:6a8f2e88cff83c43a6aff7fac775b9fc0715173...@mailboxes2.nbttech.com>> > > Content-Type: text/plain; charset="us-ascii" > > > > Akif, > > > > This is probably due to the mintocopy and timeout of WinPcap. WinPcap does > > not deliver you the packets immediately after they are received by the > > driver. Packets are batched in kernel mode and delivered to the receiving > > application when > > > > > > - There are at least mintocopy bytes in the kernel buffer > > > > - After a certain timeout > > (whatever happens first). > > > > In order to reduce the delay, you will need to either reduce the timeout or > > the mintocopy. > > > > Have a nice day > > GV > > > > From: > > [email protected]<mailto:[email protected]> > > [mailto:[email protected]]<mailto:[mailto:[email protected]]> > > On Behalf Of Akif Usman > > Sent: Thursday, March 10, 2011 11:20 AM > > To: [email protected]<mailto:[email protected]> > > Subject: [Winpcap-users] PPP capture > > > > HI, > > > > I have installed the winpcap version 3.1 beta and i am capturing from a PPP > > interface and it captures perfectly. Now i am trying to capture from the > > same PPP interface using my LIBPCAP program and forward it to another > > Ethernet interface that connects further to a second computer (Ethernet > > NIC) which also has wireshark running on it. When i capture from the second > > computer i get a strange offset of 0.5 seconds after every x packets. This > > is very strange. I dont know why wireshark is able to capture from PPP > > interface on the first computer with proper accuracy and why my LIBPCAP > > program, which is just forwarding the packets, is introducing a 0.5s [:-O] > > delay. Please help me out as soon as somebody can. > > > > Best Regards > > Fika > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: > > <http://www.winpcap.org/pipermail/winpcap-users/attachments/20110314/fcd4e478/attachment-0001.html> > > > > ------------------------------ > > > > Message: 2 > > Date: Mon, 14 Mar 2011 23:42:30 -0700 > > From: Anton Tremsin <[email protected]<mailto:[email protected]>> > > To: [email protected]<mailto:[email protected]> > > Cc: Gianluca Varenni > > <[email protected]<mailto:[email protected]>> > > Subject: Re: [Winpcap-users] PPP capture > > Message-ID: > > <[email protected]<mailto:[email protected]>> > > Content-Type: text/plain; charset="iso-8859-1"; Format="flowed" > > > > Akif, Gianluca, > > > > As I mentioned in my previous messages, I have exactly the same problem > > of delayed packages, with mintocopy set even to 0 (tried other values as > > well). I am always sending a set of 64 packets of 8Kbytes each (that is > > one image data). The packets are not lost, they always arrive. However, > > some of them come with no delay (varied number of them, sometimes 62, > > sometimes 57, etc), while the rest of them come exactly after the delay > > equal to the setting of the timeout, which I varied between 1 and 10000 > > milliseconds. There is no timeout reported for the packets to arrive > > with the delay. > > > > I will be very glad if that issue can be solved, which has probably the > > same cause as in Akif's application. > > > > Thanks a lot, > > > > Anton > > > > > > Akif, > > > > > > This is probably due to the mintocopy and timeout of WinPcap. WinPcap > > > does not deliver you the packets immediately after they are received > > > by the driver. Packets are batched in kernel mode and delivered to the > > > receiving application when > > > > > > - There are at least mintocopy bytes in the kernel buffer > > > > > > - After a certain timeout > > > > > > (whatever happens first). > > > > > > In order to reduce the delay, you will need to either reduce the > > > timeout or the mintocopy. > > > > > > Have a nice day > > > > > > GV > > > > > > *From:* > > > [email protected]<mailto:[email protected]> > > > [mailto:[email protected]]<mailto:[mailto:[email protected]]> > > > *On Behalf Of *Akif Usman > > > *Sent:* Thursday, March 10, 2011 11:20 AM > > > *To:* [email protected]<mailto:[email protected]> > > > *Subject:* [Winpcap-users] PPP capture > > > > > > HI, > > > > > > I have installed the winpcap version 3.1 beta and i am capturing from > > > a PPP interface and it captures perfectly. Now i am trying to capture > > > from the same PPP interface using my LIBPCAP program and forward it to > > > another Ethernet interface that connects further to a second computer > > > (Ethernet NIC) which also has wireshark running on it. When i capture > > > from the second computer i get a strange offset of 0.5 seconds after > > > every x packets. This is very strange. I dont know why wireshark is > > > able to capture from PPP interface on the first computer with proper > > > accuracy and why my LIBPCAP program, which is just forwarding the > > > packets, is introducing a 0.5s [:-O] delay. Please help me out as soon > > > as somebody can. > > > > > > Best Regards > > > > > > Fika > > > > > > > > > _______________________________________________ > > > Winpcap-users mailing list > > > [email protected]<mailto:[email protected]> > > > https://www.winpcap.org/mailman/listinfo/winpcap-users > > > > > > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: > > <http://www.winpcap.org/pipermail/winpcap-users/attachments/20110314/fde1d594/attachment-0001.html> > > > > ------------------------------ > > > > _______________________________________________ > > Winpcap-users mailing list > > [email protected]<mailto:[email protected]> > > https://www.winpcap.org/mailman/listinfo/winpcap-users > > > > > > End of Winpcap-users Digest, Vol 72, Issue 7 > > ******************************************** > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <http://www.winpcap.org/pipermail/winpcap-users/attachments/20110316/cd1b5258/attachment.html> > > ------------------------------ > > _______________________________________________ > Winpcap-users mailing list > [email protected]<mailto:[email protected]> > https://www.winpcap.org/mailman/listinfo/winpcap-users > > > End of Winpcap-users Digest, Vol 72, Issue 8 > ********************************************
_______________________________________________ Winpcap-users mailing list [email protected] https://www.winpcap.org/mailman/listinfo/winpcap-users
