Ask Your Question
1

Time deltas from previous frames are zeros

asked 2021-04-12 13:35:51 +0000

dovla gravatar image

Hi Wireshark community,

I am using the Wireshark to observe 1 Gbit Ethernet traffic at the Ethernet Port of the Intel NUC (Model NUC10i5FNHCA). The traffic frames are displayed correctly and also in the correct order but the time values are faulty. Namely, the time deltas between the frames display only zeros - as all frames are received at the same time.

When using the Wireshark on my main computer (with the same Network Card as the Intel NUC) I am able to observe the traffic and the time differences around 5-10 microseconds.

I have already updated drivers, BIOS, turned off all power-saving features and increased the performance of the network adapter .. I would be very thankful if anyone could support me on this problem and explain me why I cant see those time values on the Intel NUC..

Copy of Wireshark Info:

3.4.4 (v3.4.4-0-gc33f6306cbb2)

Compiled (64-bit) with Qt 5.15.1, with libpcap, with GLib 2.52.3, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4, with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.39.2, with brotli, with LZ4, with Zstandard, with Snappy, with libxml2 2.9.9, with QtMultimedia, with automatic updates using WinSparkle 0.5.7, with AirPcap, with SpeexDSP (using bundled resampler), with Minizip.

Running on 64-bit Windows 10 (1909), build 18363, with Intel(R) Core(TM) i5-10210U CPU @ 1.60GHz (with SSE4.2), with 7996 MB of physical memory, with locale English_Austria.utf8, with light display mode, without HiDPI, with Npcap version 1.10, based on libpcap version 1.9.1, with GnuTLS 3.6.3, with Gcrypt 1.8.3, with brotli 1.0.2, without AirPcap, binary plugins supported (21 loaded).

edit retag flag offensive close merge delete

Comments

npcap is a couple versions behind. There have been some changes related to timestamps that might help.

Chuckc gravatar imageChuckc ( 2021-04-12 14:17:55 +0000 )edit

Thank you for your answer! I have updated the Npcap to 1.30 and still no changes ...

dovla gravatar imagedovla ( 2021-04-12 14:24:10 +0000 )edit

Can you share a capture file from the NUC?

The Wireshark capinfos command will display timestamp precision from the capture files:

C:\>capinfos host_hi_ts.pcapng | findstr /I precis
File timestamp precision:  microseconds (6)
                     Time precision = microseconds (6)
Chuckc gravatar imageChuckc ( 2021-04-12 17:09:49 +0000 )edit

Thank you for your answer!

The data from the capture file: File timestamp precision: microseconds (6) Time precision: microseconds (6)

I still did not figure out what could be the issue..

dovla gravatar imagedovla ( 2021-04-13 07:34:24 +0000 )edit

The issue is the granularity of the timestamping mechanism used by the capture library, in this case npcap, and the granularity of how those timestamps are stored, in this case the pcap format.

An old npcap issue, #46 discusses timestamp options, I have no idea if those are still supported,

As this is an npcap issue, discussions are best taken over to the npcap support system.

grahamb gravatar imagegrahamb ( 2021-04-13 07:59:01 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-04-15 06:51:25 +0000

dovla gravatar image

I managed to fix the issue by setting the TimestampMode Registry key to value 4, as described here: https://ask.wireshark.org/question/63...

Still not perfect but the best that I could get and I am happy with it.

edit flag offensive delete link more

Comments

@divla Can you provide us a screenshot of a trace with this new settings enabled.

Christian_R gravatar imageChristian_R ( 2021-04-15 08:21:32 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-04-12 13:35:51 +0000

Seen: 107 times

Last updated: Apr 15