Wireshark · Wireshark-users: Re: [Wireshark-users] Wireshark time behind the actual time

["Gianluca Varenni" <gianluca.varenni@xxxxxxxxxxxx>]

It's a WinPcap specific setting.

HKLM\System\CurrentControlSet\Services\NPF\TimestampMode

Possible values are
0 (default) -> Timestamps generated through KeQueryPerformanceCounter, less 
reliable on SMP/HyperThreading machines, precision = some microseconds
2 -> Timestamps generated through KeQuerySystemTime, more reliable on 
SMP/HyperThreading machines, precision = scheduling quantum (10/15 ms)
3 -> Timestamps generated through the i386 instruction RDTSC, less reliable 
on SMP/HyperThreading/SpeedStep machines, precision = some microseconds

After you change the setting (you want use 2), you need to restart the NPF 
driver by opening an elevated command prompt and running "net stop npf" 
followed by "net start npf".

Have a nice day
GV

--------------------------------------------------
From: "Keith French" <keithfrench@xxxxxxxxxxxxx>
Sent: Friday, August 20, 2010 2:42 PM
To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] Wireshark time behind the actual time

> What is the registry key, location & setting for using the system time? I
> have searched through my Windows 7 registry & can't see anything obvious.
>
>
> --------------------------------------------------
> From: "Gianluca Varenni" <gianluca.varenni@xxxxxxxxxxxx>
> Sent: Friday, August 20, 2010 6:59 PM
> To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
> Subject: Re: [Wireshark-users] Wireshark time behind the actual time
>
> > --------------------------------------------------
> > From: "Guy Harris" <guy@xxxxxxxxxxxx>
> > Sent: Friday, August 20, 2010 10:48 AM
> > To: "Community support list for Wireshark" 
> > <wireshark-users@xxxxxxxxxxxxx>
> > Subject: Re: [Wireshark-users] Wireshark time behind the actual time
> >
> > > On Aug 20, 2010, at 4:09 AM, Gary Chaulklin wrote:
> > >
> > > > I am working with an employee in a remote location.  I am getting him 
> > > > to
> > > > run FiddlerCap and Wireshark to get plain text and packet level traces
> > > > to
> > > > troubleshoot an issue.
> > > >
> > > > The FiddlerCap trace matched the users experience in terms of watching
> > > > the clock on the PC, but Wireshark is about 20 seconds behind the 
> > > > actual
> > > > time.  As the trace goes on the time of the Wireshark packets gets more
> > > > behind the actual time so that by the end of a 5 minute trace it is 
> > > > over
> > > > 60 seconds behind.  The FiddlerCap trace which records timings to the
> > > > millisecond always seems to be correct.
> > > >
> > > > Any ideas as to why the Wireshark time would be behind the actual time
> > > > for this remote user?  I have worked with dozens of users over a period
> > > > of several years with first Ethereal then Wireshark and have never seen
> > > > this particular issue.
> > > >
> > > > The remote user and I run the same Windows XP Professional PCs.
> > >
> > > ...which means the capture is being done using WinPcap, and thus the 
> > > time
> > > stamps are coming from WinPcap.
> > >
> > > As I remember, WinPcap has multiple time stamping modes:
> > >
> > > In one mode, it queries the system time stamp; in that mode, the time
> > > stamps will obviously match the time stamp on the clock on the PC
> > > (whether
> > > the PC's clock is the "actual time" is another matter), but, at least
> > > according to
> > >
> > > http://www.osronline.com/ddkx/kmarch/k105_41iq.htm
> > >
> > > "System time is typically updated approximately every ten 
> > > milliseconds.",
> > > which means that the time stamp resolution is only 10ms or so.
> > >
> > > In at least some of the other modes, it uses the performance counter; in
> > > that mode, you can get higher-resolution time stamps, but the time can
> > > drift from the system time.
> > >
> > > I'll let the WinPcap developers give more details and corrections to the
> > > above.
> >
> > There is not much to add to it. WinPcap by default uses a timestamping
> > source that is quite accurate but gets synchronized with the system clock
> > only at the beginning of a capture (it's actually more complicated than
> > this. The point is that it doesn't resync during the capture). There is 
> > an
> > option (through the registry) to change the timestamping mode and use the
> > system time. The problem with that is that the system time gets updated
> > every X milliseconds (where X can be something between 1 and 15 or so).
> >
> > Have a nice day
> > GV
> >
> >
> >
> > > ___________________________________________________________________________
> > > Sent via:    Wireshark-users mailing list 
> > > <wireshark-users@xxxxxxxxxxxxx>
> > > Archives:    http://www.wireshark.org/lists/wireshark-users
> > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> > >
> > > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> >
> > ___________________________________________________________________________
> > Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> > Archives:    http://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >
> > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe