Wireshark-users: Re: [Wireshark-users] clock time trouble capturing TCP traffic over USB interfac

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 27 Jun 2011 09:44:14 -0700
On Jun 27, 2011, at 1:56 AM, Gilberton Philippe wrote:

> I am currently facing a problem in capturing TCP traffic via a modem 3G connected to the USB port of my Windows XP machine. The reference clock time displayed on the column of the captured file is not the same as the one of a regular capture file I performed on the Ethernet clock of my PC. For my test bed purpose, I need to work on absolute time and not relative one.
> To confirm I shifted the PC clock time of 1 hour and the clock time displayed on the column of the captured file through USB didn't change while the one captured on the Ethernet interface changed accordingly. By the way I didn't figure out which clock is use by Wireshark in case of 3g modem USB interface connection, is it USB clock, 3g modem clock?
> Is there any way to set Wireshark capturing parameter to force it to use PC clock time instead of USB one?

Wireshark doesn't use any clock; it uses whatever time stamps it gets from WinPcap.

This probably has nothing to do with USB.

It probably has to do with PPP interfaces (such as mobile phone modems) vs. non-PPP interfaces:

	http://www.winpcap.org/misc/faq.htm#Q-5

"Windows 2000/XP (x86)/2003 (x86). these systems have limitations in the NDIS binding process that prevent a protocol driver from working properly on WAN adapters. WinPcap 3.1 and newer offer limited support for capturing on dial-up adapters using a wrapper over the Microsoft NetMon driver."

Capturing on the Ethernet interface and capturing on PPP interfaces go through different kernel-mode code paths; there may be a problem with the code path that goes through the NetMon driver.  You'd have to ask the WinPcap developers for details:

	http://www.winpcap.org/contact.htm