["Jim Young" <sysjhy@xxxxxxxxxxxxxxx>]

Hello All,

>>> gharris@xxxxxxxxx 03/04/05 1:55 PM >>>
>> David_Long@xxxxxxxxxxxx wrote:
>> Comparing two captures of the same data taken on opposite sides of a
WAN 
>> cloud, one taken by Ethereal and one by Sniffer, I noticed
discrepancies 
>> in the timing when comparing the two using Ethereal.
>
> Ethereal's code to get time stamps from Windows Sniffer files has
some 
> problems; it's much improved in 0.10.9, but people have still seen
problems.
> 
> We'd need a copy of one of the files with a problem in order to
figure 
> out the cause.  

I've attached five files to this message.  Two files are trace files
and 
three files are slightly edited packet detail text reports:

   pingtest.host1.trace
   pingtest.host2.cap

   pingtest.host1.ethereal.rpt
   pingtest.host2.sniffer.rpt
   pingtest.host2.ethereal.rpt
 
The first trace file, 'pingtest.host1.trace' was captured using
ethereal 
0.10.9-SVN-13391 on the host with ip address 192.168.0.2 (host 1).

The second trace file, 'pingtest.host2.cap' was made concurrently 
with the first trace file and was captured using Sniffer Portable
4.70.530 
on the host with ip address 192.168.0.4 (host 2).

NOTE: The two trace files contain only the four ping request frames 
generated by host 1 at one second  intervals towards host 2.  The 
attached trace files were filtered to remove the ping replies generated

by host 2 to (hopefully) better illustrate the time discrepancy
problems 
ethereal currently has when reading (some?) Sniffer generated capture 
files.

The first report file, 'pingtest.host1.ethereal.rpt' was generated by 
Ethereal from the Ethereal created trace file.  This file indicates
that 
the ping packets were indeed generated at about 1 second intervals.

The second report file, 'pingtest.host2.sniffer.rpt' was generated by 
Sniffer from the Sniffer created trace file.  This file shows the time

stamps as reported by the sniffer which also indicates that the ping
packets were received at about 1 second intervals.

The third report file, 'pingtest.host2.ethereal.rpt' was generated 
by Ethereal from the Sniffer generated trace file.  This file is where

one can see really see the time stamp discrepancy problem.  Not
only are the elapsed times between packets reported to be only
~0.279 seconds apart, but the absolute time for the first frame as 
reported by ethereal (23:43:18.89805) is about ~72 seconds sooner 
that the absolute time reported by Sniffer (23:44:28.8623) for the 
same frame from the same trace file.

The two tables below summerize the realtime and delta times one 
should see in the report files.

TRACE: source trace file is pingtest.host1.trace
CAP: source trace file is pingtest.host2.cap

absolute reported by, ethereal(TRACE), sniffer(CAP), ethereal(CAP)
frame 1, 23:45:57.275189000, 23:44:28.8623, 23:43:16.898050000 
frame 2, 23:45:58.276550000, 23:44:29.8637, 23:43:17.177809000 
frame 3, 23:45:59.277739000, 23:44:30.8649, 23:43:17.457490000 
frame 4, 23:46:00.278942000, 23:44:31.8660, 23:43:17.737183000 

delta reported by, ethereal(TRACE), sniffer(CAP), ethereal(CAP) 
frame 2 from 1, 1.001361000, 1.0014, 0.279759000 
frame 3 from 2, 1.001189000, 1.0012, 0.279681000 
frame 4 from 3, 1.001203000, 1.0011, 0.279693000 

FYI: The realtime clock of host 1 was NOT synchronized to HOST 2 prior

to the ping test.

I hope someone finds these files useful for resolving the time
discrepancy 
problems Ethereal appears to have with certain Sniffer generated trace

files.  If needed I can generate other trace files and/or report files
from
our Sniffer.

Best regards,

Jim Young

Attachment: pingtest.host1.trace
Description: Binary data

Attachment: pingtest.host2.cap
Description: Binary data

Attachment: pingtest.host1.ethereal.rpt
Description: Binary data

Attachment: pingtest.host2.sniffer.rpt
Description: Binary data

Attachment: pingtest.host2.ethereal.rpt
Description: Binary data