Wireshark-users: Re: [Wireshark-users] recorded time in pcap file drifts from system time

From: Stuart Kendrick <skendric@xxxxxxxxx>
Date: Sat, 07 Apr 2012 05:41:04 -0700
Thanx for the detail Guy, including helping me distinguish between the
role libpcap plays and the role Wireshark plays

I've updated registries on my flock of sniffers, will test its
effectiveness next week (give libpcap a few days to drift its sense of
time) and will report back.

--sk

> Or, more generally and accurately, "packet timestamp times, as supplied by WinPcap, may drift from the system time".  Those are the time stamps that get written to pcap and pcap-ng files by tcpdump/WinDump, dumpcap, etc..
>
>
>
> "The method used by the driver to timestamp packets can now be changed without recompiling the driver, modifying a registry key:
>
>          HKLM\System\CurrentControlSet\Services\NPF\TimestampMode
>
> P