This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Relation between packet number and time

0

Packet 1 2 3 4 5 time .00001 .00002 .00005 .00006 .00004

asked 26 May '15, 12:59

stobbe99's gravatar image

stobbe99
6234
accept rate: 0%

Is this the out sink sequence between number and time an issue?

(26 May '15, 13:01) stobbe99

One Answer:

0

Is this the out sink sequence between number and time an issue?

It (most certainly) means one of the following things:

  • you have captured on several interfaces in parallel
  • you have merged several pcap files into one file

Regards
Kurt

answered 26 May '15, 13:57

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Kurt,

And when I see this on one interface? I really see packets with a higher sequence number arriving before some packets with a lower sequence number.

KR Henk

(26 May '15, 14:11) stobbe99

The OS delivering packets to the packet capture mechanism out of order? I've seen that happen on multiprocessor/multicore Linux systems, for example; it may be that the packet that arrives on the host first (and gets an earlier time stamp) ends up arriving at the PF_PACKET socket after another packet that arrived later on the host.

(26 May '15, 14:52) Guy Harris ♦♦

Guy,

Yes it is a multicore linux system, is this a problem for wireshark?

KR Henk

(26 May '15, 19:56) stobbe99

Yes it is a multicore linux system, is this a problem for wireshark?

If by that do you mean "is this a problem for programs that capture packets using PF_PACKET sockets, such as programs using libpcap, one of which is dumpcap, the program that Wireshark uses to capture packets" :-), the answer is "yes", but the answer also means "trying another program, such as tcpdump, which also uses libpcap, won't help".

It might be possible to make libpcap work around that "feature" of Linux, but that would take some work.

(26 May '15, 22:05) Guy Harris ♦♦