Wireshark-users: Re: [Wireshark-users] Negative Fibre Channel scsi_time values

From: "Jim Young" <sysjhy@xxxxxxxxxxxxxxx>
Date: Sun, 04 Jan 2009 11:46:25 -0500

Hello Ivan,

Fascinating comment!

>>> Ivan Heninger <ivanh@xxxxxxxxxx> 1/4/2009 9:39 AM >>>
> Is your the platform Linux on multi-core CPU ?  I think negative time is
> possible on some multi-core CPUs depending on the hardware source for the
> precision software timer.  Use of the TSC source, rather than the linux
> default pmtimer, can yield better software performance but can also lead to
> a time offset between to cores in the same CPU.

>>>>  From:       Sake Blok <sake@xxxxxxxxxx>                              
>> Now... the main problem is why wireshark thinks these requests and
>>  responses belong together, although they bend the nature of time ;-)

I too have some tracefiles (in my case "normal" IP traces) where 
the some packets appear "to bend the nature of time".  In this case 
the absolute timestamps of the pcap file are NOT in strictly chronological
order.  

The initial time-bending packets can be easily found with the display 
filter 'frame.time_delta < 0': e.g.

  tshark -R 'frame.time_delta < 0' -r MYTRACEFILE

My tracefiles with the occasional time-bending packets were captured 
from different systems.  One system is a multi-core RH Linux system 
with a 10Gb interface, the other is a dual core Windows XP SP2 
system with a 1Gb interface.  The "time-bending" packets do NOT 
appear very often but they do happen.  

I had suspected that these "time bends" were possibly due to the 
capturing system's real-time clock being concurrently updated via 
some other task (e.g.ntp) while there was an ongoing libpcap/winpcap
capture in progress.

Comments?

Thanks,

Jim Y.