On Jan 14, 2010, at 12:33 PM, Gianluca Varenni wrote:
> Well, you already got an answer from the WinPcap team... I work in the
> WinPcap team.
>
> If a timestamp precision in the order of some milliseconds is ok for you,
> then you can switch the timestamping mode to a less precise one that is
> sync'ed with the system time. You can find details on how to change the
> timestamping mode in this email:
>
> http://www.winpcap.org/pipermail/winpcap-bugs/2010-January/001153.html
That should perhaps be in the WinPcap FAQ. Using performance counters could cause not only the failure to get NTP-synced timestamps but also, at least in mode 3, failures on machines where the CPU isn't running at full speed, such as
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4249
Does KeQueryPerformanceCounter(), on x86, use RDTSC but compensate for CPU clock speed changes?