Wireshark · Wireshark-users: Re: [Wireshark-users] sorting on packet number and on time gives different results

[Guy Harris <guy@xxxxxxxxxxxx>]

On Jul 10, 2007, at 2:16 PM, Ariel Burbaickij wrote:

> Hello all,
> following for me somehow unexpected result:
> when I filter on packets' number and then on time
> results are different and filtering on time produces
> not ordered set of packets' numbers but they are
> mixed like in e.g. 1, 2, 7, 8, 4,3 etc.
> Without delving into the code:
> Is there is more to the logic:
> the moment packet is timestamped next unassigned
> number is granted to its packet number?

Absolute packet time stamps are recorded in the capture file; the  
packet number is *implicit* in the capture file, i.e. the first packet  
in the file has the number 1, the second file has the number 2, etc..

For libpcap-format files:

The time stamping occurs, for most platforms, in the kernel; the  
kernel-assigned time stamp is in the data read by libpcap.  The one  
exception that comes to mind is HP-UX, where the kernel doesn't assign  
a time stamp, so libpcap has to use the current time.

Packets are written to the capture file in the order in which they're  
delivered to libpcap.

Packet capture mechanisms do not necessarily guarantee that the N+1st  
packet delivered to libpcap has a time stamp >= that of the Nth packet  
delivered to libpcap - I'd argue that not making such a guarantee  
(assuming nobody explicitly moves the system clock backwards; if that  
happens, all bets are off) is a bug, but I think some versions of  
Linux, for example, are buggy in that sense.

For all file formats, once a capture file is read, the absolute time  
stamp of a packet, and its packet number, don't change.

Are you changing the sort order of the packet display?