It is now possible (but see requirements below) to have virtualized DNA base its packet capture timing on the underlying (host hardware) clock, thus keeping capture timing consistent with the real world clock.
To make the accurate time stamps work, the following is required:
Packet Capture Driver 3.12 (32-bit Windows environment) or 4.01 (64-bit Windows environment). These drivers are included with the release. This is a Windows-only enhancement; no improvement will be visible when UNIX agents are used in virtual machines.
VMware ESX(i) 3.5 (or later) or VMware Workstation 6.5 (or later).
To enable hardware-based timing in virtualized DNA:
Delete Windows registry key
VMware Pseudo-Performance Counter or keep it but set its value to
TRUE in the virtual machine's
In the vSphere Client's list of virtual machines, right-click the machine (which must be turned off) and select Edit settings.
In the Virtual machine properties dialog, click the Options tab.
On the Options tab, go down to the Advanced section and select General.
Click Configuration parameters.
In the Configuration parameters dialog, click Add row.
Set the new row's Name to
monitor_control.pseudo_perfctr and its Value column to
To verify that you are using hardware-based timing, review the log files on the machine where network traffic is captured, which is the console when capturing locally, or the agent machine, or the machine on which you are running SimpleCapture. The log entries on the DEBUG log level differ, depending on the timer you are using.
When the standard (virtual timer) is used, you will see log entries such as:
“Selected timestamping source: classic performance counter”
When the hardware-based method is used (when VMware Pseudo-Performance Counters have been detected and are available for use), you will see log entries such as:
“Selected timestamping source: VMware Pseudo-Performance Counter”
This new timing accuracy comes at a significant processing cost, which means that DNA 12.4.5 running in a virtualized environment may not be able to handle as many packets per second as it could previously, especially if the host machine (real hardware) is slow or overburdened.
Make sure your VMware installation is running on robust hardware.
Avoid capturing traffic with DNA on VMware ESXi with too many other virtual machines at the same time.
Avoid capturing traffic with DNA on VMware Workstation when the machine is simultaneously running CPU-intensive applications such as antivirus scans.