Wireshark-users: [Wireshark-users] TurboCap card / out-of-order frames

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Stuart Kendrick <skendric@xxxxxxxxx>
Date: Thu, 14 Jan 2010 11:04:54 -0800
I'm using a TurboCap card to capture in-line with an end-station.

Repeatedly through the trace, I see out of order frames.  For example,

[Numbers are TCP segment numbers]

Client ACKs	Server sends Segment	Frame #
1,183,091				22034
		1,179,039		22035
		1,180,499		22036
		1,181,959		22037
		1,183,091		22038
		1,179,039		22041
1,183,091				22042

And then, I even see an out-of-order three-way TCP handshake:


Client sends SYN                                                    28898
Client sends ACK                                                    28899
Server sends SYN-ACK                                         28900
I don't believe that that the client really sent the ACK before receiving the SYN-ACK.
So I'm beginning to think that the TurboCap card misorders frames when it captures. 

I captured using 'dumpcap -i 6 -w rollingcapture.pcap -b filesize:50000'

TurboCap driver v1.3

Anyone else seen this issue?

--sk

Stuart Kendrick
FHCRC