Is it common for packets to be out of order when capturing on two interfaces?
I have noticed that my packets do not always arrive in the correct order. For instance I may get a DHCP ACK before the DHCP Request. I am just wondering if I should ignore this type of thing or not.
Would an aggregating TAP provide better results?
I am just starting out with Wireshark so my equipment is not ideal. I am using a new MacBook Pro. This MacBook does not have wired ethernet so I am using USB 3.0 to ethernet adapters. I am also using the following network tap. https://hakshop.myshopify.com/collections/gadgets/products/throwing-star-lan-tap-pro.
I am assuming the packet order issue has to do with using two interfaces. I am fixing to buy a new TAP so I am wondering if I should get an aggregating tap to solve out of order packet issues or just ignore it.
I am between Net Optics and Network Instruments. Both companies have aggregating and non-aggregating models.
asked 23 Jun '14, 19:20
yes, it is common, but you can use the command line tool "reordercap" to fix that. Reordercap is part of the Wireshark distribution. Taps are expensive, so i'm not sure it makes any sense to buy one unless you really need very exact results. Problem with aggregation taps is that they are not always reliable; I had a few issues with them where they didn't provide correct results or even introduced crc errors to a link.
My advice: reorder your files with reordercap and see if you can work with that.
answered 23 Jun '14, 20:18