Wireshark-users: Re: [Wireshark-users] TurboCap card / out-of-order frames

From: Stuart Kendrick <skendric@xxxxxxxxx>
Date: Thu, 14 Jan 2010 12:23:11 -0800
Hi Gianluca,

see https://vishnu.fhcrc.org/nps/seqc-crash.pcap

the frame numbers in my text below were taken from this trace

ip.addr==128.95.181.47

Also, i'm curious about the negative delta T numbers

--sk


On 1/14/2010 11:17 AM, Gianluca Varenni wrote:
Are you using the passthru feature?

Can you send me a small trace file showing the issue to my work email
(gianluca.varenni@xxxxxxxxxxxx)?

Have a nice day
GV

--------------------------------------------------
From: "Stuart Kendrick"<skendric@xxxxxxxxx>
Sent: Thursday, January 14, 2010 11:04 AM
To:<wireshark-users@xxxxxxxxxxxxx>
Subject: [Wireshark-users] TurboCap card / out-of-order frames

I'm using a TurboCap card to capture in-line with an end-station.

Repeatedly through the trace, I see out of order frames.  For example,

[Numbers are TCP segment numbers]

Client ACKs Server sends Segment Frame #
1,183,091 22034
1,179,039 22035
1,180,499 22036
1,181,959 22037
1,183,091 22038
1,179,039 22041
1,183,091 22042

And then, I even see an out-of-order three-way TCP handshake:


Client sends SYN                                                    28898
Client sends ACK                                                    28899
Server sends SYN-ACK                                         28900


I don't believe that that the client really sent the ACK before
receiving the SYN-ACK.

So I'm beginning to think that the TurboCap card misorders frames when
it captures.

I captured using 'dumpcap -i 6 -w rollingcapture.pcap -b filesize:50000'

TurboCap driver v1.3

Anyone else seen this issue?

--sk

Stuart Kendrick
FHCRC


___________________________________________________________________________
Sent via:    Wireshark-users mailing list<wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list<wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe