Wireshark-users: Re: [Wireshark-users] recorded time in pcap file drifts from system time

From: "Graham Bloice" <graham.bloice@xxxxxxxxxxxxx>
Date: Mon, 9 Apr 2012 10:22:02 +0100

> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-
> bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris
> Sent: 07 April 2012 02:56
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] recorded time in pcap file drifts from
system
> time
> 
> 
> On Apr 6, 2012, at 8:06 PM, Stuart Kendrick wrote:
> 
> > Perhaps there is no fix for this ... but I figured I'd ask.
> >
> > Absolute time, as recorded in the .pcap file, tends to drift from
> > system time.
> 
> Or, more generally and accurately, "packet timestamp times, as supplied by
> WinPcap, may drift from the system time".  Those are the time stamps that
> get written to pcap and pcap-ng files by tcpdump/WinDump, dumpcap, etc..
> 
> This is, I think, not true on UN*Xes (with libpcap) when the time stamps
are
> supplied by the system (rather than by the network adapter, as can be the
> case with some adapters, some OSes, and newer versions of libpcap; the
> default is to use system time stamps, though), as packet time stamps come
> from the same clock that supplies time()/gettimeofday()/etc. values.
> 
> On Windows, however, the WinPcap driver, on x86 machines can run in one
> of three modes:
> 
> 	http://www.winpcap.org/misc/changelog.htm
> 
> "The method used by the driver to timestamp packets can now be changed
> without recompiling the driver, modifying a registry key:
> 
>          HKLM\System\CurrentControlSet\Services\NPF\TimestampMode
> 
> Possible values are
> 	. 0 (default) -> Timestamps generated through
> KeQueryPerformanceCounter, less reliable on SMP/HyperThreading
> machines, precision = some microseconds
> 	. 2 -> Timestamps generated through KeQuerySystemTime, more
> reliable on SMP/HyperThreading machines, precision = scheduling quantum
> (10/15 ms)
> 	. 3 -> Timestamps generated through the i386 instruction RDTSC, less
> reliable on SMP/HyperThreading/SpeedStep machines, precision = some
> microseconds"
> 
> In modes 0 and 3, the time stamps don't come from the same source as the
> system time, and can drift apart.
> 
> On x86-64 machines, mode 3 isn't supported (because generating an in-line
> RDTSC instruction is a pain, according to a comment in time_calls.h in the
> source for the NT flavor of the driver, "inline assembler is not supported
with
> the current AMD64 compilers" - "NT" here includes Windows NT 5.x, i.e. W2K
> AND XP, and 6.x, i.e. Vista, 7, etc.), but it looks as if modes 0 and 2
are.
> 
> Mode 0 is the default, so the time stamps can drift.
> 
> > Is there a way around this?  I suppose I could stop and restart my
capture
> every few hours, to give Wireshark a chance to grab Real Time.  Other
> thoughts?
> 
> Fire up Your Friend Mr. Regedt32 (or Regedt64 if there is one - somebody
> claimed either in a WS bug or a WS mailing list that there are separate
32-bit
> and 64-bit registries, and I suspect the driver, being 64-bit on 64-bit
Windows,
> uses the 64-bit registry) and set the registry key in question to 2.

Registry trivia:

I don't believe that this portion of the registry (HKLM\System) is different
for 32 bit or 64 bit apps on a 64 bit OS, possibly because "system" stuff
has to be 64 bit on a 64 bit OS.  AFAIK it's only stuff under HKLM\Software
that changes between 32 bit and 64 bit apps.

There is no regedt64, you use regedit.exe.  The default one on a 64 bit OS
(the 64 bit one) will see the 32 bit stuff under the
HKLM\Software\WOW6432Node.

You can run the 32 bit version of the registry editor using
%systemroot%\syswow64\regedit.exe.  Regedt32.exe can also be found in the
syswow64 directory.

See the KB article http://support.microsoft.com/kb/305097 for more info.