Re: tcpdump and timestamps

[Andrej van der Zee <andrejvanderzee () gmail com>]

Hi Gary,

Thank you for your clear reply, as always.

> WinDump, the Windows port of tcpdump, uses WinPcap, the Windows port of libpcap.  The time stamps come from the 
> WinPcap driver, which might, depending on how it's configured, read the system clock for each packet, or might read 
> it when it starts and, for each packet, add a value from the performance counter to it.  In the latter case, the time 
> stamps might drift from the system clock value.

I just read that putting the registry value for the key below on 2
lets the driver use system clock.
HKLM\System\CurrentControlSet\Services\NPF\TimestampMode

Thank you,
Andrej
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.