Wireshark-users: Re: [Wireshark-users] TurboCap card / out-of-order frames

From: "Gianluca Varenni" <gianluca.varenni@xxxxxxxxxxxx>
Date: Thu, 14 Jan 2010 13:00:52 -0800
Is it an aggregating tap?

GV

--------------------------------------------------
From: "Stuart Kendrick" <skendric@xxxxxxxxx>
Sent: Thursday, January 14, 2010 12:53 PM
To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] TurboCap card / out-of-order frames

No, I'm using a Finisar tap

--sk

On 1/14/2010 12:37 PM, Gianluca Varenni wrote:
Are you using the passthru feature of TurboCap?

Have a nice day
GV

--------------------------------------------------
From: "Stuart Kendrick"<skendric@xxxxxxxxx>
Sent: Thursday, January 14, 2010 12:23 PM
To: "Community support list for Wireshark"<wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] TurboCap card / out-of-order frames

Hi Gianluca,

see https://vishnu.fhcrc.org/nps/seqc-crash.pcap

the frame numbers in my text below were taken from this trace

ip.addr==128.95.181.47

Also, i'm curious about the negative delta T numbers

--sk


On 1/14/2010 11:17 AM, Gianluca Varenni wrote:
Are you using the passthru feature?

Can you send me a small trace file showing the issue to my work email
(gianluca.varenni@xxxxxxxxxxxx)?

Have a nice day
GV

--------------------------------------------------
From: "Stuart Kendrick"<skendric@xxxxxxxxx>
Sent: Thursday, January 14, 2010 11:04 AM
To:<wireshark-users@xxxxxxxxxxxxx>
Subject: [Wireshark-users] TurboCap card / out-of-order frames


I'm using a TurboCap card to capture in-line with an end-station.

Repeatedly through the trace, I see out of order frames.  For example,

[Numbers are TCP segment numbers]

Client ACKs Server sends Segment Frame #
1,183,091 22034
1,179,039 22035
1,180,499 22036
1,181,959 22037
1,183,091 22038
1,179,039 22041
1,183,091 22042

And then, I even see an out-of-order three-way TCP handshake:


Client sends SYN
28898
Client sends ACK
28899
Server sends SYN-ACK                                         28900


I don't believe that that the client really sent the ACK before
receiving the SYN-ACK.

So I'm beginning to think that the TurboCap card misorders frames when
it captures.

I captured using 'dumpcap -i 6 -w rollingcapture.pcap -b filesize:50000'

TurboCap driver v1.3

Anyone else seen this issue?

--sk

Stuart Kendrick
FHCRC


___________________________________________________________________________
Sent via: Wireshark-users mailing list<wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via: Wireshark-users mailing list<wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list<wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list<wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe