Npcap driver service's registry key is usually in: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npf
. In this key, you need to manually create a REG_DWORD
value named TimestampMode
,
the value can be (in decimal):
0, DEFAULT_TIMESTAMPMODE
1, TIMESTAMPMODE_SYNCHRONIZATION_ON_CPU_WITH_FIXUP
2, TIMESTAMPMODE_QUERYSYSTEMTIME
3, TIMESTAMPMODE_RDTSC (only supported on x86 systems)
99, TIMESTAMPMODE_SYNCHRONIZATION_ON_CPU_NO_FIXUP
If this value doesn't exsit, Npcap will regard TimestampMode
as 0
.
Don't forget to reboot the driver by net stop npf
and net start npf
to make this option change take effect.
You can also refer to https://www.wireshark.org/lists/wireshark-users/201008/msg00171.html and https://www.wireshark.org/lists/wireshark-users/201001/msg00125.html for the details about Timestamp Mode.