Wireshark-users: Re: [Wireshark-users] Negative time difference between two following packets. fr

From: Jasper Bongertz <jasper.sharklists@xxxxxxxxxxxxxx>
Date: Tue, 16 Apr 2013 16:40:49 +0200
Title: Re: [Wireshark-users] Negative time difference between two following packets. frame.time_delta is negative
Hello Jaroslav,

it is probably caused by the capture setup - since you're talking about tap/splitter I guess you're capturing on multiple cards at the same time. In that case the timestamps are most likely set by the timers on the network card but sometimes "earlier" frames are delivered later to the capture process running on the PC. That leads to the absolute timestamps arriving sort of "out of order" - and so you'll see negative delta times. You can reorder your frames according to the timestamps by using the command line tool "reordercap" which is part of the latest Wireshark developer builds.

Cheers,
Jasper

Tuesday, April 16, 2013, 8:41:55 AM, you wrote:


Hi!
 
I have a capture taken with an Ethernet tap/splitter/monitor where several packets have a negative time difference to the previous packet, i.e. frame.time_delta is below zero. Actually, 13.4 % of all packets in the file have this characteristic, which can easily be seen by applying the filter 
 
frame.time_delta < 0
 
It is only packets that go in one direction, e.g. from server to client, that appear to get negative time delta and this leads me to think that whatever causes this is not only due to some fault or feature in Wireshark itself.
 
What can this be caused by?
 
Best Regards,
Jaroslav Kazejev