Wireshark mailing list archives

Re: recorded time in pcap file drifts from system time

From: Stuart Kendrick <skendric () fhcrc org>
Date: Sat, 07 Apr 2012 05:41:04 -0700

Thanx for the detail Guy, including helping me distinguish between the
role libpcap plays and the role Wireshark plays

I've updated registries on my flock of sniffers, will test its
effectiveness next week (give libpcap a few days to drift its sense of
time) and will report back.

--sk

Or, more generally and accurately, "packet timestamp times, as supplied by WinPcap, may drift from the system time".  
Those are the time stamps that get written to pcap and pcap-ng files by tcpdump/WinDump, dumpcap, etc..



"The method used by the driver to timestamp packets can now be changed without recompiling the driver, modifying a 
registry key:

         HKLM\System\CurrentControlSet\Services\NPF\TimestampMode

P

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

recorded time in pcap file drifts from system time Stuart Kendrick (Apr 06)
- Re: recorded time in pcap file drifts from system time Guy Harris (Apr 06)
  - Re: recorded time in pcap file drifts from system time Stuart Kendrick (Apr 07)
    - Re: recorded time in pcap file drifts from system time Stuart Kendrick (Apr 09)
  - Re: recorded time in pcap file drifts from system time Graham Bloice (Apr 09)
  - Re: recorded time in pcap file drifts from system time Jaap Keuter (Apr 09)