On Wed, Apr 17, 2002 at 05:01:59PM -0500, J. Michael Milner wrote:
> I've been capturing a filtered view of the traffic between my router and
> the cable modem. I'm seeing some interesting stuff as at the MAC level
> as all the cable modems for blocks around are on what amounts to a common
> ethernet segment. However, I can't seem to figure out why I see what
> looks like 2 clocks being used for "Arrival Time" - one that looks correct and
> another that is running 32 hours and 15 minutes behind! I'm assuming the
> time is from the system clock of the machine doing the capture in all cases.
The time ultimately comes from the system clock of the machine running
the capture program.
However, that time may be passed through several layers of code before
it reaches libpcap/WinPcap; libpcap/WinPcap and Ethereal just pass it
through. Perhaps some of that code is, on occasion, getting confused.
You'd have to ask the developers of that code about that...
> The configuration is Ethereal 0.9.2, WinPcap 2.3, Windows 95B, and a 3C905
> lan card.
...and the developers of that code include Microsoft and the WinPcap
developers.
I'd start by downloading WinDump and trying that - it should print time
stamps if you run it in "print to the console window you're in" mode
(that's the default).
If it exhibits the same behavior, ask the WinPcap people about it; see
the page at
http://winpcap.polito.it/contact.htm
for information on submitting bug reports.
Note that they ask you to download a special version of WinDump, which
can provide extra debugging information, which you should send to them
with other information.
You should do a capture with WinDump with the "-w" flag, and read that
file in Ethereal; if it shows the same time stamp problem, send them
that file, along with all the debugging information the special version
of WinDump produced, and a other information, such as the above
information (and the version of WinDump as well), and, just in case,
also the information about the link.