So, I have a rough grasp of the trade-offs involved in WinPCap's concept of time, mostly from googling for "winpcap, time drift, gianluca verenni" and reading the result ... this is an issue which has appeared on various lists across the last decade or so ... and at root involves some stickiness in the options which Windows offers for tracking time
http://seclists.org/wireshark/2012/Apr/85 http://seclists.org/wireshark/2010/Aug/311 As far as I can tell, twinking with the Registry as below doesn't help -- time still drifts (~30 seconds after two days, in the one test I've run), even with TimestampMode set to '2' Does anyone believe differently? i.e. is anyone successfully running NPF across multiple days with Winpcap time synced to system time within a second or so? HKLM\System\CurrentControlSet\Services\NPF\TimestampMode Possible values are 0 (default) -> Timestamps generated through KeQueryPerformanceCounter, less reliable on SMP/HyperThreading machines, precision = some microseconds 2 -> Timestamps generated through KeQuerySystemTime, more reliable on SMP/HyperThreading machines, precision = scheduling quantum (10/15 ms) 3 -> Timestamps generated through the i386 instruction RDTSC, less reliable on SMP/HyperThreading/SpeedStep machines, precision = some microseconds Winpcap 4.1.2 Win7 Enterprise 64 bit Wireshark 1.7.1 --sk Stuart Kendrick FHCRC _______________________________________________ Winpcap-users mailing list [email protected] https://www.winpcap.org/mailman/listinfo/winpcap-users
