Hi, I am working on developing a customized packet sniffer for Windows 7 64 bit host system (NIC card is Realtek PCIe GBE Family Controller) and am using WinPcap 4.3.1 library using C programming and Cygwin development platform. I am able to read outgoing and incoming TCP and UDP packets through my program. However, I am stuck in a problem of not able to get correct timestamp in microsecond from the struct pcap_pkthdr structure. Following is the code snippet from the program where the problem exists: Following is the console output that I got for these 2 printf() statements in a run: 1) Epoch is: 1460262399 Time in seconds (header->ts.tv_sec&0x00000000ffffffff) is correct as it translates to 2016-04-09::23:26:39 (yy-mm-dd::hh-mm-ss format) However, the Microsecond (header->ts.tv_usec) is not correct as the hex value of Microsecond is 0x16F0000016F that always shows this kind of repeating pattern (with different values) at the low and high octet positions. I have analyzed memory dumps and found the same values that makes me believe that the header->ts.tv_usec is not filled correctly by the NPF driver. I did a lot of search and could not find this issue reported anywhere. Also, I tested the code on separate AMD and Intel machines and the issue seems to linger. Any suggestion(s) to solve this problem would be highly appreciated. asked 09 Apr '16, 22:24  Han edited 11 Apr '16, 15:48  Guy Harris ♦♦ |
One Answer:
answered 11 Apr '16, 15:49 Guy Harris ♦♦ |
Not really an Ask Wireshark question, but anyway.
Presumably you mean WinPcap 4.1.3. You say you're using Cygwin, I'm not sure mixing Cygwin and WinPcap works.
Wireshark seems to be able to use WinPcap to retrieve packets with microsecond precision, unless it's just making them up, and it uses the same field in the packet header.
dumpcap is the Wireshark process that interfaces with WinPcap, maybe looking at the code in dumpcap.c might help.
Thanks Grahamb. I posted this question because there is no help available on this behavior anywhere and as Wireshark is using WinPcap therefore, I though it might be a good idea to ask folks here. Sorry for the typo that is corrected. I am getting other fields correctly from Cygwin based C code so I believe it works fine with other packet data structures but microsecond field is not correct. I checked dumpcap.c but they seem to use the same functions which kind of perplexes me more. I need microsecond stamp for my task and still not sure how to debug it. NPF driver works fine for other data fields but somehow fills microseconds incorrectly (as I figured out).
Yes, it's more of a stackoverflow question.
I'm not sure, either. WinPcap expects MSVC's definition of struct timeval, and Cygwin's might be different.