miyazaki tatsuhiro wrote:
What's the packet number on display and
what's the difference of the packet number and timestamps?
The packet number is sorted by capturing order, the timestamps shows the
captured time, I think.
If it's correct, even if I order by the number or timestamps, the order
should not change.
However my some capture file change the order.
The packet number is just the ordinal number of the packet within the
file; the packets are in the order in which the OS's packet capture
mechanism delivered them to the program doing the capturing.
The time stamp comes from the OS. For packets received by the machine
doing the capturing, it's the time at which whatever part of the OS
time-stamps the packet does so - this could be any time between the
point at which the packet starts to be processed by the host (which
could be after the point at which the packet is received by the network
adapter) and the point at which the packet is supplied to the program
doing the capturing; different OSes do the time stamping differently.
Somebody's said that the Linux packet capture mechanism can, on
multi-processor machines, deliver packets in an order other than the
order in which they're time stamped, in which case sorting by the packet
number will produce a different order than sorting by the time stamp.