I have two network nodes built with microcontrollers. These are not
capable to capture network traffic. So I want to monitor the
communication between these nodes with a tap
(https://www.amazon.com/gp/product/B07VZYPYV8). It works as described
here: https://blog.wains.be/2007/2007-02-01-diy-passive-network-tap/
Wireshark is capturing the data on two different Ethernet adapters in a
PC. This arises the problem, that the timestamps for the packets are
taken when the capture driver receives the packet. The result is a small
jitter of the timestamps. In many cases the TCP ACK is received before
the ack'd TCP segment is receive at the other Ethernet adapter. This
causes false-positive errors in the Wireshark log. These errors are
- TCP Sperious Retransmission
- TCP ACKed unseen segment
Example:
Frame t src/dst Info
31 0.862143 40->92 [TCP ACKed unseen segment] Seq=15 Ack=391
32 0.862226 92->40 [TCP Spurious Retransmission] Seq=66 Ack=15
33 0.863048 92->40 Seq=391 Ack=29
39 1.061595 40->92 Seq=29 Ack=456
40 1.061595 40->92 [TCP ACKed unseen segment] Seq=29 Ack=586
41 1.062206 92->40 [TCP Spurious Retransmission] Seq=456 Ack=29
I want to use the capture to identify actual errors. These will be
hidden by the thousands of false positives. The data shown above is
already the output of reordercap.
- How can Wireshark handle this small jitters and suppress false
positive errors?
- Is there a known procedure to capture full-duplex while keeping the
original sequence?
Best regards,
Helge
