Hi, I'm using WinPcap in conjunction with a different source of timestamped messages and I need to be able to merge the packets/messages in their correct chronological sequence to microsecond accuracy.
WinPcap uses the performance counter as the basic packet timestamp but then converts it to seconds + microseconds since Jan 1 1970 by adding a value it calculates during initialisation based on the system time (KeQuerySystemTime). This provides a very accurate timestamp of each packet relative to other packets but the absolute time value relative to 1970 is determined by the accuracy of the system time. This is about 10ms on NT and (I believe) about 55ms on Win98. This would be no problem if my only source of packets/messages was WinPcap - I don't care that the wall clock time may be milliseconds out. However, I need to merge these packets with others from a different driver which also have timestamps in terms of s/us from Jan 1 1970. As both of these timestamps are based on a value which only has (at best) 10ms accuracy, I can't reliably merge them into a chronological stream. I can think of two possible solutions, neither of which I like very much. The first is for WinPcap to provide the performance counter value as well as the s/us timestamp. I can already get this count from my other driver and it would allow me to merge them properly and calculate the wall clock time myself (once only). The other possible solution is for WinPcap to make accessible outside the driver the value it calculates on initialisation. I can then apply this to the other messages. I'm not sure if this solves the problem for Win98 as well (I need to support Win98 and Win2k). I'd be grateful for any comments or advice on any other possible solutions to this. Thanks in advance, Mark Lamb -- Mark Lamb Schlumberger Ferndown Industrial Estate Wimborne Dorset BH21 7PP +44 (0)1202 850943 [EMAIL PROTECTED]
