Support timestamp method selection by capture handle rather than registry key #46
Operating systems have various timestamp methods available with differing tradeoffs between granularity, accuracy, precision, efficiency, etc.
Npcap has an undocumented legacy method (inherited from Winpcap) for choosing this on a system-wide basis using TimestampMode registry key. It can be set to "0", "2", or "3":
The registry location for this key depends on whether you are using Npcap native mode or Winpcap compatible:
It is probably best to just set both. Also note that even the Winpcap compatible location is a bit different than what Winpcap uses (which is HKLM\System\CurrentControlSet\Services\NPF\TimestampMode).
We have verified that this feature works with Npcap 0.9983, but we haven't officially documented it because setting the timestamp mode system-wide is not a great approach. It could cause issues if multiple applications are using Npcap and each wants a different mode.
The better method that we might actually want to officially support uses the per-capture handle timestamp option as described here. That describes the options available on several platforms, but we don't offer any non-default options through this API on Windows (Npcap). But we might, if we see demand for it. We created this issue both to document the current situation and also so folks can comment if the normal default mechanism doesn't work well for them. Please also note what you would prefer and why. The more well-supported requests we get, the more we can prioritize this issue. We don't waste time implementing a feature that nobody seems to want. And, at least for our Nmap Security Scanner, the default timestamp methods seem to be working well enough for us.
The text was updated successfully, but these errors were encountered:
Any of the supported timestamp modes can be set via PacketSetTimestampMode(), which uses the new BIOCSTIMESTAMPMODE IoControl code. The TimestampMode Registry setting is still observed as the default for new capture handles. Changing the timestamp mode will empty the kernel's capture buffer to avoid conflict between timestamps in captured packets.
So the next step would be to have a packet.dll interface to get a list of all the supported TIMESTAMP_ modes for a given handle. (Currently, it's system-wide, rather than per-adapter, but if Microsoft ever offers a way to get adapters that have their own clocks to provide time stamps to NDIS filter drivers, it could become per-adapter, so let's make it per-handle.)
Then the next step would be to add support for
Note, however, that, on Windows 8 and later,
Offering a choice for Windows 7 might be worthwhile, as you can't get both high resolution and synchronization with the system clock, so you'd have to choose which you want - assuming the now-supported-only-maybe-by-extra-long-term-support-with-Microsoft Windows 7 is worth adding that. (Note that Wireshark currently has no way to request different time stamp types from the GUI, so that would need to be added. tcpdump and dumpcap support specifying the time stamp type.)
Since timestamp method selection is already available per capture handle, I'm closing this issue. The idea for getting a list of timestamp modes via ioctl is #174
Regarding "TIMESTAMPMODE_QUERYSYSTEMTIME_PRECISE is probably what almost all, if not all, users would want," I think Nmap in particular would rather have all clocks monotonically increasing, since it's less important for us what time the wall clock said when a packet arrived as it is how long it has been since we sent the probe that elicited the response. Unfortunately, on all systems we use