Ethereal-users: Re: [Ethereal-users] Timestamps "jump back" by ~13 seconds

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Andrew Hood <ajhood@xxxxxxxxx>
Date: Fri, 07 Apr 2006 22:59:21 +1000
Feeny, Michael (TD&DS, Applications Infrastructure Svcs.) wrote:
> Hi all…
> 
>  
> 
> I posted this to the Winpcap-users forum, but I have not gotten a
> response yet.  Perhaps someone here has some experience or insight…
> 
>  
> 
> I used Ethereal (0.10.14) to capture packets yesterday (Winpcap version
> 3.1).  When I open the resultant Ethereal file, I notice that about
> every 5 or 10 packets, the timestamp is roughly 13 seconds earlier than
> that of the previous packet. 

The questions I would be asking are:
What could be fiddling with the system clock?
Are these happening at consistent intervals throughout the trace? (e.g
every 0.05 secs)
What else is running on the box?

> Looking more closely, I see a clump of packets with timestamps that
> increase normally, then a clump that are 13 seconds earlier (but whose
> timestamps also increase normally), then a clump that are 13 seconds
> later (lining up with the 1^st clump), then a 13-seconds-earlier clump,
> etc., etc., etc.
> 
>  
> 
> I’m probably not explaining this well L.  Here is a sample of the
> timestamps – this should make it clearer…
> 
>  
> 
> 14:26:35.475498
> 
> 14:26:35.475604
> 
> 14:26:35.475632
> 
> 14:26:49.087976            (Jumps ahead ~13.5 seconds)
> 
> 14:26:49.132457
> 
> 14:26:49.132573
> 
> 14:26:49.132604
> 
> 14:26:49.134084
> 
> 14:26:35.525248            (Jumps back ~13.5 seconds)
> 
> 14:26:35.525376
> 
> 14:26:35.525567
> 
> 14:26:49.283965            (Jumps ahead ~13.5 seconds)
> 
> 14:26:49.882512
> 
> 14:26:49.882613
> 
> 14:26:49.882645
> 
> … this pattern continues forever and ever (or, at least for the 35
> minutes of the capture)
> 
>  
> 
> Has anyone seen this?  Any ideas?
> 
>  
> 
> If I understand how Winpcap works (that’s a big “IF”), Winpcap grabs the
> packet, applies a timestamp using the system clock, passes it to
> Ethereal, who gives it the next frame number and adds it to the packet
> set, and waits for the next packet.  So, how these timestamps are
> showing this behavior has got me good and puzzled J.
> 
>  
> 
> ADDITIONAL INFO
> 
> OS:      MS Windows 2000 SP2
> 
> Proc:    x86 Family 6 Model 8 Stepping 3
> 
> NIC:      Compaq NC3163 Fast Ethernet NIC 
> 
> Thx much,
> 


-- 
There's no point in being grown up if you can't be childish sometimes.
                -- Dr. Who