Wireshark-users: Re: [Wireshark-users] TurboCap card / out-of-order frames

From: "Gianluca Varenni" <gianluca.varenni@xxxxxxxxxxxx>
Date: Thu, 14 Jan 2010 11:17:06 -0800
Are you using the passthru feature?

Can you send me a small trace file showing the issue to my work email (gianluca.varenni@xxxxxxxxxxxx)?

Have a nice day
GV

--------------------------------------------------
From: "Stuart Kendrick" <skendric@xxxxxxxxx>
Sent: Thursday, January 14, 2010 11:04 AM
To: <wireshark-users@xxxxxxxxxxxxx>
Subject: [Wireshark-users] TurboCap card / out-of-order frames

I'm using a TurboCap card to capture in-line with an end-station.

Repeatedly through the trace, I see out of order frames.  For example,

[Numbers are TCP segment numbers]

Client ACKs Server sends Segment Frame #
1,183,091 22034
1,179,039 22035
1,180,499 22036
1,181,959 22037
1,183,091 22038
1,179,039 22041
1,183,091 22042

And then, I even see an out-of-order three-way TCP handshake:


Client sends SYN                                                    28898
Client sends ACK                                                    28899
Server sends SYN-ACK                                         28900


I don't believe that that the client really sent the ACK before
receiving the SYN-ACK.

So I'm beginning to think that the TurboCap card misorders frames when
it captures.

I captured using 'dumpcap -i 6 -w rollingcapture.pcap -b filesize:50000'

TurboCap driver v1.3

Anyone else seen this issue?

--sk

Stuart Kendrick
FHCRC


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe