Wireshark-users: Re: [Wireshark-users] Synchronize data of twin interface capture

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: chuck c <bubbasnmp@xxxxxxxxx>
Date: Tue, 21 Sep 2021 09:15:32 -0500
Not tried this but what about using a switch to combine the traffic and send out via a SPAN port to a single capture interface?

https://blog.packet-foo.com/2016/12/the-network-capture-playbook-part-5-network-tap-basics/
"The Packet out of order problem
If you want to avoid out of order captures using a full duplex TAP, the only reliable way is to use a professional FPGA based multi port capture cards that are able to merge the incoming packets within the card."

https://osqa-ask.wireshark.org/questions/34102/packets-out-of-order/
packets out of order

On Tue, Sep 21, 2021 at 2:58 AM Helge Kruse <Helge.Kruse@xxxxxxx> wrote:
I have two network nodes built with microcontrollers. These are not
capable to capture network traffic. So I want to monitor the
communication between these nodes with a tap
(https://www.amazon.com/gp/product/B07VZYPYV8). It works as described
here: https://blog.wains.be/2007/2007-02-01-diy-passive-network-tap/

Wireshark is capturing the data on two different Ethernet adapters in a
PC. This arises the problem, that the timestamps for the packets are
taken when the capture driver receives the packet. The result is a small
jitter of the timestamps. In many cases the TCP ACK is received before
the ack'd TCP segment is receive at the other Ethernet adapter. This
causes false-positive errors in the Wireshark log. These errors are
- TCP Sperious Retransmission
- TCP ACKed unseen segment

Example:
Frame t       src/dst Info
31  0.862143  40->92  [TCP ACKed unseen segment]  Seq=15 Ack=391
32  0.862226  92->40  [TCP Spurious Retransmission]  Seq=66 Ack=15
33  0.863048  92->40  Seq=391 Ack=29
39  1.061595  40->92  Seq=29 Ack=456
40  1.061595  40->92  [TCP ACKed unseen segment]  Seq=29 Ack=586
41  1.062206  92->40  [TCP Spurious Retransmission] Seq=456 Ack=29


I want to use the capture to identify actual errors. These will be
hidden by the thousands of false positives. The data shown above is
already the output of reordercap.

- How can Wireshark handle this small jitters and suppress false
positive errors?

- Is there a known procedure to capture full-duplex while keeping the
original sequence?

Best regards,
Helge
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe