The aggregation that TurboCap performs is done at the host level, after the
packets have been timestamped (always at the host level).
The precision of such timestamps is in the order of some microseconds, so if
two packets (either on the same port or on two ports of the same board)
arrive "too close" (in the order of 1-3 microseconds), it's possible that
they get the same timestamp and when you merge the two traffic streams, the
packets are out-of-order or nearly out-of-order.
In your specific trace file, in the case of the SYN/ACK sequence, packets
28898 and 28899 have the same exact timestamp (for the reason above) and
during the aggregation the ACK packet was put before the SYN-ACK one.
In the case of packet #22035, it's a bug in the TurboCap aggregation. The
timestamp goes backwards (that's the reason for the negative timestamp
delta).
I will try to replicate this out-of-order issue in the lab.
Have a nice day
GV
--------------------------------------------------
From: "Stuart Kendrick" <skendric@xxxxxxxxx>
Sent: Thursday, January 14, 2010 1:33 PM
To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Cc: "Gianluca Varenni" <gianluca.varenni@xxxxxxxxxxxx>
Subject: Re: [Wireshark-users] TurboCap card / out-of-order frames
nope
--sk
On 1/14/2010 1:00 PM, Gianluca Varenni wrote:
Is it an aggregating tap?
GV