Hello Ivan,
Fascinating comment!
>>> Ivan Heninger <ivanh@xxxxxxxxxx> 1/4/2009 9:39 AM >>>
> Is your the platform Linux on multi-core CPU ? I think negative time is
> possible on some multi-core CPUs depending on the hardware source for the
> precision software timer. Use of the TSC source, rather than the linux
> default pmtimer, can yield better software performance but can also lead to
> a time offset between to cores in the same CPU.
>>>> From: Sake Blok <sake@xxxxxxxxxx>
>> Now... the main problem is why wireshark thinks these requests and
>> responses belong together, although they bend the nature of time ;-)
I too have some tracefiles (in my case "normal" IP traces) where
the some packets appear "to bend the nature of time". In this case
the absolute timestamps of the pcap file are NOT in strictly chronological
order.
The initial time-bending packets can be easily found with the display
filter 'frame.time_delta < 0': e.g.
tshark -R 'frame.time_delta < 0' -r MYTRACEFILE
My tracefiles with the occasional time-bending packets were captured
from different systems. One system is a multi-core RH Linux system
with a 10Gb interface, the other is a dual core Windows XP SP2
system with a 1Gb interface. The "time-bending" packets do NOT
appear very often but they do happen.
I had suspected that these "time bends" were possibly due to the
capturing system's real-time clock being concurrently updated via
some other task (e.g.ntp) while there was an ongoing libpcap/winpcap
capture in progress.
Comments?
Thanks,
Jim Y.