Wireshark mailing list archives

Re: wireshark capture shows packets not chronologically captured


From: Romel Khan <romel.khan () idt net>
Date: Sun, 19 Dec 2010 10:06:16 -0500

$ uname -a
Linux XYZ 2.6.9-42.ELsmp #1 SMP Wed Jul 12 23:27:17 EDT 2006 i686 i686 i386
GNU/Linux

On Fri, Dec 17, 2010 at 1:57 PM, Guy Harris <guy () alum mit edu> wrote:


On Dec 17, 2010, at 8:03 AM, Romel Khan wrote:

I did a capture and notice that packets are not chronologically sorted.

That sounds like a bug in your OS.  If packets aren't delivered by the OS
to the capture mechanism in strict time order, that's an OS bug.  (Yes, that
means that if different packets are, as they arrive, processed on different
cores, the mechanism should still sort them.  If that imposes a performance
penalty, and if some programs that directly use the capture mechanism don't
care, then there should be an option to request whether you want strict time
ordering or not - and libpcap/WinPcap should request it!)

What version of what OS are you running on?  If Linux, what version of what
kernel; if Windows, also indicate what version of WinPcap you have.

Eg packet 64 if it were in chronological order would actually have been
packet 5. I can sort by clicking Time column field. But how can I same it
(to a different filename) so if I open that new filename, it will indeed
show packet 64 properly as packet 5 (ie all packets properly chronologically
adjusted) ?

There's no mechanism in Wireshark to do that.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread: