Wireshark-bugs: [Wireshark-bugs] [Bug 3815] New: Same packet (receiver frame's time < sender fra

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Thu, 6 Aug 2009 21:03:41 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3815

           Summary: Same packet (receiver frame's time  < sender frame's
                    time)
           Product: Wireshark
           Version: 1.2.0
          Platform: Other
        OS/Version: Windows XP
            Status: NEW
          Severity: Critical
          Priority: Medium
         Component: TShark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: sysem85@xxxxxxxxx


Created an attachment (id=3467)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3467)
Sender & Receiver Captures

Build Information:
C:\Documents and Settings\stanley>tshark -v
NOTE: you should run 'diskperf -y' to enable the disk statistics
TShark 1.0.6 (SVN Rev 27387)

Copyright 1998-2009 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GLib 2.14.6, with WinPcap (version unknown), with libz 1.2.3,
without POSIX capabilities, with libpcre 7.0, with SMI 0.4.8, with ADNS, with
Lua 5.1, with GnuTLS 2.6.3, with Gcrypt 1.4.3, with MIT Kerberos.

Running on Windows XP Service Pack 2, build 2600, with WinPcap version 4.0.2
(packet.dll version 4.0.0.1040), based on libpcap version 0.9.5.

Built using Microsoft Visual C++ 6.0 build 8804

C:\Documents and Settings\stanley>
--
My machine is installed two interface cards(one send to another through the
public network), 

i use tshark textmode to output the frame.time, ip.id (from the two captures at
the sender interface card and the receiver interface card ) in order to have
some calculations on the forward delay of the packet.

When i am doing so, i find that for the same packet(identified by the ip.id),
the receiver frame.time is less than sender frame.time. Therefore, my
calculated forward delay is negative, which is impossible.

Is it an error for wideshark to capture two interface card at the same time
independently in the same machine. Or else, is there any ways for me to use one
wideshark program to capture two interface card at the same time ?? Thx.

Attached is the .pcap of sender and .pcap of receiver.

Sender (T-shark command)
tshark -r ".pcap" -e ip.id -e frame.time -T fields "(ip.src == 137.189.97.29 &&
ip.dst == 121.203.47.237) &&(tcp.port == 10000 || tcp.port == 20000)"

Receiver ( T-shark command)
tshark -r ".pcap" -e ip.id -e frame.time -T fields "(ip.src == 137.189.97.29 &&
ip.dst == 121.203.47.237) && (tcp.port == 10000 || tcp.port == 20000)"

Result:
Sender
ip.id            frame.time
0x4ae8  Apr  6, 2002 13:08:33.692715000

Receiver
ip.id            frame.time
0x4ae8  Apr  6, 2002 13:08:33.687500000

Time Difference = -5.215 ms


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.