Wireshark-dev: Re: [Wireshark-dev] wireshark capture shows packets not chronologically captured

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 20 Dec 2010 12:59:08 -0800
On Dec 20, 2010, at 9:53 AM, Stephen Fisher wrote:

> That thread was 8 years ago, and a couple replies down, Alan Cox said: 
> "You should never need it. Ethernet, hubs, switches, routers, internet 
> backbones etc will all cause packet re-ordering. You should also expect 
> the percentage of re-ordered frames on the net to rise and rise." *sigh*

In the context of an application that's implementing a network protocol atop PF_PACKET sockets, his reply makes sense.

In the context of an application that's capturing network traffic, for the purpose of analysis where packet time stamps are important, not so much....

Admittedly, if high-resolution and high-accuracy time stamps are important, you probably want the network adapter doing the time stamping, which would eliminate that problem (at least as long as you don't have more than one such adapter) - but that might be overkill if all you want is monotonicity.