Like every open source (and most commercial) packet capture systems, WinPcap relies on the underlying OS infrastructure to get the raw packets from the network (see http://winpcap.polito.it/docs/man/html/index.html if you are interested in basic details about the winpcap kernel-level architecture). This means that the process is something like:
1. the NIC brings the packets to memory
2. the NIC driver acknowledges the NIC and disptches the packets to the upper kernel levels (TCP/IP, WinPcap)
3. *winpcap timestamps the packets*
4. winpcap puts the packets into a buffer
5. winpcap moves the content of the buffer to user level when there's enough packets in it
As you can clearly see:
- the precision of the timestamps is totally dependent on what happens before. In particular, several NICs use techniques to minimize the number of interrupts or transfer groups of packets instead than only one. The same do most NIC drivers. As a result, especially with high traffic volumes, you'll often see timestamps that don't reflect the real traffic.
- since winpcap does buffering, the packets may be delivered to the application much later than when they came to the host. There are ways to minimize this (one of them is the timeout parameter of pcap_open_live), but they of course trade responsiveness with a higher CPU load.
My experience is: for low traffic rates, winpcap does a pretty good job, and the timestamp error is normally under the ms. However, and especially for high traffic rates, don't rely on a software-only capture system if you need precise timestamps. And don't hope that other OSes will solve the problem. In every case, always use the timestamp provided by the capture system and never "take the time" after you receive the packet: that way is going to be totally wrong.
Loris
Couderc, Francois wrote:
Hi,
I've looked at the archive but I haven't found anything so here is my question.
My application uses winpcap to receive all ethernet traffic but I find the library to be very slow. For example I do a ping to another machine. The ping shows me a <1ms delay for reply. But in winpcap, the delay between the ping request icmp message and the ping reply icmp message is 300ms!! Is there a way to increase the speed of acquisition of winpcap? I have the same result using Ethereal.
Thanks in advance for your help.
Frank
================================================================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/
To unsubscribe use mailto: [EMAIL PROTECTED]
==================================================================
