On Tue, Jul 20, 2004 at 04:50:56PM -0500, Aninda Bhattacharya wrote:
> This shows that the time synchronization between the computers (achieved
> using NTP) is not being reflected in the time stamps of the captured
> packets.
>
> What is happening inside ethereal/WinPCap that is showing this
> behaviour?
I don't know. It might be that WinPcap isn't using the system clock; I
think that, at least with newer versions of WinPcap, it can use the time
stamp counter on machines that have it. If that's what it's using, an
NTP adjustment might not affect the time stamps.
> Is this a bug?
If it's due to the time stamp counter being used, no - I think the idea
is that if you care more about minimizing the CPU used when capturing
rather than getting more accurate time stamps, you'd use the time stamp
counter.
> If yes, is ethereal or WinPCap responsible for this?
WinPcap, almost certainly. Ethereal doesn't time-stamp packets - it
just uses the time stamps it gets from libpcap/WinPcap.
> In my opinion, ethereal/WinPCap is not using the system time stamp that
> reflects the NTP time correction. How can I correct this?
I think it's done with a registry entry, but I don't know what entry it
is. You might look in the winpcap-users archives to see if there's
anything about this and, if not, ask on winpcap-users:
http://winpcap.polito.it/contact.htm
