Re: Timestamp Skew

[Bill Meier <wmeier () newsguy com>]

Guy Harris wrote:
> On Jan 14, 2010, at 10:19 AM, Lee Riemer wrote:
>
> > The sniffer server is syncing with NTP, and this is also a dual core system.  You may be on to something, though.  
> > If the box is correcting it's skew with NTP, wireshark might not be if it isn't polling the time for each packet.
> >
> > Anyone know exactly how WS picks the time to stamp?
>
> On Windows, it takes it from the information supplied to it by WinPcap, so it's not Wireshark that's picking the time 
> to stamp, it's WinPcap.  (On UN*X, it takes it from the information supplied to it by libpcap, which is, on almost 
> all platforms, the time supplied to libpcap by the OS-native packet capture mechanism being used by libpcap.)
>
> If none of the WinPcap developers reply here, you might want to report it to them as a bug:

A web search for     "time drift" winpcap     turns up some seemingly 
relevant info.....

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe