Ask Your Question
0

Recorded packet time stamps drift from system time with Wireshark release 3.0 and later

asked 2022-10-14 16:53:50 +0000

updated 2022-10-15 01:16:52 +0000

Guy Harris gravatar image

Hello,

On a Windows system we are using Wireshark (with WinPCAP) to record UDP packets transmitted by our system. It allows us to then compare time of the transmission with the recording time. With recent Wireshark release (I tested several version in 3.6 branch) we have a time drift like Wireshark is not using the system time which is synchronyzed using local NTP server. I tried an old version (1.12.X) and the problem is not present.

While looking on internet I found a registry key tp update (TimestampMode to 2) but it's only working for Wireshark 1.12, not for 3.6.X.

An idea ?

Thanks.

David

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-10-14 22:37:30 +0000

Guy Harris gravatar image

For time stamps in captures, Wireshark uses the time stamp from the capture file, and dumpcap, when writing out a live capture file, uses the time stamp from the capture mechanism.

I.e., Wireshark doesn't generate those time stamps, the capture mechanism does.

In this case, as you're capturing on Windows, the time stamps are coming from WinPcap or Npcap.

For WinPcap, here's a mail message from one of the WinPcap developers describing the time stamp modes that WinPcap provides. As it notes, WinPcap can either provide a low-precision time stamp based on the system clock or a higher-precision clock, based on a higher-precision timer but not synchronized with the system clock, as that's all the hardware and Windows OS provided at the time.

For Npcap, here's an issue comment describing the time stamp modes that Npcap provides (and also mentioning an undocumented deprecated mode, not mentioned in the aforementioned mail message, supported in WinPcap but not in Npcap). It notes that newer versions of Npcap, on Windows 8 or later, provide a new time stamp mode that provides a higher-precision clock that is synchronized with the system clock; it requires Windows 8 because prior versions of Windows didn't make that time stamp available. (As I said in that comment, for more than you ever wanted to know about getting time stamps in Windows, see Acquiring high-resolution time stamps.)

The Windows installers for Wireshark, prior to version 3.x, included the WinPcap installer; starting with 3.0.0, the installer included the Npcap installer. That's why there's a difference between pre-3.0 releases and 3.0 and later - there's a difference in the capture mechanism that they install. It's not a difference in the Wireshark code.

Please note that the mail message about WinPcap indicates that the WinPcap registry key for the time stamp mode is HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NPF\TimestampMode and that the first comment in the issue about Npcap indicates that the Npcap registry key for the time stamp mode is HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\npcap\Parameters\TimestampMode. This means that changing the registry key for WinPcap will not affect Npcap; you will need to add or change the Npcap registry key. That's why the WinPcap registry key had no effect with Wireshark 3.x - it was using Npcap, which doesn't look at the WinPcap registry keys.

edit flag offensive delete link more

Comments

Thanks for your reply ! I will check on Monday.

Have a good weekend.

DavidCarlier gravatar imageDavidCarlier ( 2022-10-15 13:48:10 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2022-10-14 16:53:50 +0000

Seen: 62 times

Last updated: Oct 15 '22