Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] TurboCap card / out-of-order frames

From: "Gianluca Varenni" <gianluca.varenni@xxxxxxxxxxxx>
Date: Thu, 14 Jan 2010 13:48:22 -0800
The aggregation that TurboCap performs is done at the host level, after the packets have been timestamped (always at the host level). The precision of such timestamps is in the order of some microseconds, so if two packets (either on the same port or on two ports of the same board) arrive "too close" (in the order of 1-3 microseconds), it's possible that they get the same timestamp and when you merge the two traffic streams, the packets are out-of-order or nearly out-of-order.

In your specific trace file, in the case of the SYN/ACK sequence, packets 28898 and 28899 have the same exact timestamp (for the reason above) and during the aggregation the ACK packet was put before the SYN-ACK one.

In the case of packet #22035, it's a bug in the TurboCap aggregation. The timestamp goes backwards (that's the reason for the negative timestamp delta).
I will try to replicate this out-of-order issue in the lab.

Have a nice day
GV


--------------------------------------------------
From: "Stuart Kendrick" <skendric@xxxxxxxxx>
Sent: Thursday, January 14, 2010 1:33 PM
To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Cc: "Gianluca Varenni" <gianluca.varenni@xxxxxxxxxxxx>
Subject: Re: [Wireshark-users] TurboCap card / out-of-order frames

nope

--sk

On 1/14/2010 1:00 PM, Gianluca Varenni wrote:
Is it an aggregating tap?

GV