This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

packets out of order

0

Is it common for packets to be out of order when capturing on two interfaces?

I have noticed that my packets do not always arrive in the correct order. For instance I may get a DHCP ACK before the DHCP Request. I am just wondering if I should ignore this type of thing or not.

Would an aggregating TAP provide better results?

I am just starting out with Wireshark so my equipment is not ideal. I am using a new MacBook Pro. This MacBook does not have wired ethernet so I am using USB 3.0 to ethernet adapters. I am also using the following network tap. https://hakshop.myshopify.com/collections/gadgets/products/throwing-star-lan-tap-pro.

I am assuming the packet order issue has to do with using two interfaces. I am fixing to buy a new TAP so I am wondering if I should get an aggregating tap to solve out of order packet issues or just ignore it.

I am between Net Optics and Network Instruments. Both companies have aggregating and non-aggregating models.

asked 23 Jun '14, 19:20

fishfilet's gravatar image

fishfilet
11112
accept rate: 0%


One Answer:

0

yes, it is common, but you can use the command line tool "reordercap" to fix that. Reordercap is part of the Wireshark distribution. Taps are expensive, so i'm not sure it makes any sense to buy one unless you really need very exact results. Problem with aggregation taps is that they are not always reliable; I had a few issues with them where they didn't provide correct results or even introduced crc errors to a link.

My advice: reorder your files with reordercap and see if you can work with that.

answered 23 Jun '14, 20:18

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

I read about reordercap but it functions on the timestamps which are also generally out of order although in a different order than the frames.

I can deal with the packets being out of order if it's normal. I just wanted to make sure that there are no major problems analyzing trace files because of it.

If this is something everyone deals with and it's no big deal I'll just get a cheaper tap. I want to get a new one because mine is 10/100 only. Used non-aggregating taps are not to expensive.

(23 Jun '14, 20:41) fishfilet

If you reorder your capture by timestamp you should no longer see answer packets before request packets - if you still do then you capture setup is not working.

Out-of-order packets are also quite normal on a TCP level if earlier packets arrive later due to buffering and other reasons. But you should (after reordercap) never see packets that can't have been on the network in that order (like an answer being sent before you see the request for it).

The HakShop TAP is a passive Ethernet TAP, which is why it can only work up to 100 MBit/s. There's no way to built a TAP like that for speeds 1G and up due to technical reasons. BTW, if looking at TAPs also take a look at Garland Technology.

(24 Jun '14, 05:40) Jasper ♦♦