We have a sniffer running continuously in one of our facilities, capturing data to/from a specific system. The box is running Windows XP Pro (SP-3) and dumpcap is running as a service using srvany.exe. The clock on this system is synchronized with the rest of the hosts on this network.
When left running for an extended period of time (weeks/months) it seems the timestamps recorded in our captures slowly drift backwards. The timestamp recorded in the filename as each new file is created matches the system time relatively well (from observation; i.e. when BAT_99717_20090415222212.cap was created, the system clock showed 10:22 PM.) however the packet timestamps within the file are off by a significant amount. (In this particular example, the first packet in the file has a timestamp of 22:16:18, nearly 6 minutes earlier than when the file was opened.)
Stopping and restarting the service seems to correct this; after a restart, the first packet in the new file had a timestamp closely matching the timestamp in the filename (and the system time.)
What documentation I can find seems to indicate that WinPCap obtains the timestamp from the system as packets are received; since the system itself reflects the correct time, the discrepancy we are seeing strikes me as rather odd. Has anyone else seen this or know what could cause it?
The command line used to start Dumpcap from SrvAny is:
-i \Device\NPF_{ABF2B612-CEAA-46CE-BEEB-D401F37BAEFF} -B 8 -b filesize:5000 -b files:5000 -w c:\sniff\BAT.cap
The version of Wireshark we are using is 1.0.0, with WinPcap 4.0.2. (Yes, I know it's old. We can easily update to the latest version, but I figured I'd ask anyway in case anyone knows of a different cause for this issue.)
Thanks,
--
Phil