A colleague asked and I didn't really know the answer: When capturing on multiple interfaces which is the preferred sorting order so that packets are displayed in order of arrival at the capturing machine? Sorting by time appears to give the best results, sorting by Frame No. leads to inconsistent results. If sorting by time is best, is even that guaranteed to display the packets in arrival order, or are there "oddities" in the capturing mechanisms that could give errant results? asked 20 Dec '12, 03:43  grahamb ♦ |
One Answer:
My personal experience with capturing on multiple interfaces has been that sorting on time worked best (this is, I believe, what the new 'reordercap' utility was designed for). But I found that annoying so what I ended up doing (since I was using Linux) was capturing on the 'any' pseudo-device and using capture filters to filter out traffic on the (one or two) interfaces I wasn't interested in. Some background: while Wireshark (1.8.0+) now supports capturing on multiple interfaces simultaneously it does this by spawning off multiple threads (one per interface). Of course, due to the vagaries of OS (thread) scheduling, it's possible that packets that arrive on 2 different interfaces very close in time may arrive in the capture file out of order. answered 20 Dec '12, 06:44  JeffMorriss ♦ |
inconsistent? In terms of what?
The packet order in Wireshark relative to what is actually seen by the receiving application as determined from application log files and the timestamps in Wireshark are not in increasing order.