Join GitHub today
Support timestamp method selection by capture handle rather than registry key #1775
Operating systems have various timestamp methods available with differing tradeoffs between granularity, accuracy, precision, efficiency, etc.
Npcap has an undocumented legacy method (inherited from Winpcap) for choosing this on a system-wide basis using TimestampMode registry key. It can be set to "0", "2", or "3":
The registry location for this key depends on whether you are using Npcap native mode or Winpcap compatible:
It is probably best to just set both. Also note that even the Winpcap compatible location is a bit different than what Winpcap uses (which is HKLM\System\CurrentControlSet\Services\NPF\TimestampMode).
We have verified that this feature works with Npcap 0.9983, but we haven't officially documented it because setting the timestamp mode system-wide is not a great approach. It could cause issues if multiple applications are using Npcap and each wants a different mode.
The better method that we might actually want to officially support uses the per-capture handle timestamp option as described here. That describes the options available on several platforms, but we don't offer any non-default options through this API on Windows (Npcap). But we might, if we see demand for it. We created this issue both to document the current situation and also so folks can comment if the normal default mechanism doesn't work well for them. Please also note what you would prefer and why. The more well-supported requests we get, the more we can prioritize this issue. We don't waste time implementing a feature that nobody seems to want. And, at least for our Nmap Security Scanner, the default timestamp methods seem to be working well enough for us.