Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support timestamp method selection by capture handle rather than registry key #1775

fyodor opened this issue Oct 7, 2019 · 1 comment


Copy link

commented Oct 7, 2019

Operating systems have various timestamp methods available with differing tradeoffs between granularity, accuracy, precision, efficiency, etc.

Npcap has an undocumented legacy method (inherited from Winpcap) for choosing this on a system-wide basis using TimestampMode registry key. It can be set to "0", "2", or "3":

  • 0 is the default and uses KeQueryPerformanceCounter. This provides great precision (some microseconds) but is less reliable on SMP/HyperThreading machines since it doesn't return monotonic values across multiple CPUs.
  • 2 uses KeQuerySystemTime instead, which is more reliable on SMP/HyperThreading machines, with a precision of a scheduling quantum (10/15 milliseconds)
  • 3 uses the i386 RDTSC instruction. This is also less reliable on SMP/HyperThreading/SpeedStep machines and has a precision of some microseconds.

The registry location for this key depends on whether you are using Npcap native mode or Winpcap compatible:

  • HKLM\System\CurrentControlSet\Services\npcap\Parameters\TimestampMode if using Npcap native API mode (npcap driver)
  • HKLM\System\CurrentControlSet\Services\npf\Parameters\TimestampMode if using Winpcap compatible mode (npf driver)

It is probably best to just set both. Also note that even the Winpcap compatible location is a bit different than what Winpcap uses (which is HKLM\System\CurrentControlSet\Services\NPF\TimestampMode).

We have verified that this feature works with Npcap 0.9983, but we haven't officially documented it because setting the timestamp mode system-wide is not a great approach. It could cause issues if multiple applications are using Npcap and each wants a different mode.

The better method that we might actually want to officially support uses the per-capture handle timestamp option as described here. That describes the options available on several platforms, but we don't offer any non-default options through this API on Windows (Npcap). But we might, if we see demand for it. We created this issue both to document the current situation and also so folks can comment if the normal default mechanism doesn't work well for them. Please also note what you would prefer and why. The more well-supported requests we get, the more we can prioritize this issue. We don't waste time implementing a feature that nobody seems to want. And, at least for our Nmap Security Scanner, the default timestamp methods seem to be working well enough for us.

@fyodor fyodor changed the title Add capture handle timestamp type support Support timestamp method selection by capture handle rather than registry key Oct 9, 2019

This comment has been minimized.

Copy link

commented Oct 9, 2019

Just as a data point, I was conversing with one Npcap user today who is now using mode "2" because they want the monotonic data.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
1 participant
You can’t perform that action at this time.