Is it an aggregating tap?
GV
--------------------------------------------------
From: "Stuart Kendrick" <skendric@xxxxxxxxx>
Sent: Thursday, January 14, 2010 12:53 PM
To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] TurboCap card / out-of-order frames
No, I'm using a Finisar tap
--sk
On 1/14/2010 12:37 PM, Gianluca Varenni wrote:
Are you using the passthru feature of TurboCap?
Have a nice day
GV
--------------------------------------------------
From: "Stuart Kendrick"<skendric@xxxxxxxxx>
Sent: Thursday, January 14, 2010 12:23 PM
To: "Community support list for Wireshark"<wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] TurboCap card / out-of-order frames
Hi Gianluca,
see https://vishnu.fhcrc.org/nps/seqc-crash.pcap
the frame numbers in my text below were taken from this trace
ip.addr==128.95.181.47
Also, i'm curious about the negative delta T numbers
--sk
On 1/14/2010 11:17 AM, Gianluca Varenni wrote:
Are you using the passthru feature?
Can you send me a small trace file showing the issue to my work email
(gianluca.varenni@xxxxxxxxxxxx)?
Have a nice day
GV
--------------------------------------------------
From: "Stuart Kendrick"<skendric@xxxxxxxxx>
Sent: Thursday, January 14, 2010 11:04 AM
To:<wireshark-users@xxxxxxxxxxxxx>
Subject: [Wireshark-users] TurboCap card / out-of-order frames
I'm using a TurboCap card to capture in-line with an end-station.
Repeatedly through the trace, I see out of order frames. For example,
[Numbers are TCP segment numbers]
Client ACKs Server sends Segment Frame #
1,183,091 22034
1,179,039 22035
1,180,499 22036
1,181,959 22037
1,183,091 22038
1,179,039 22041
1,183,091 22042
And then, I even see an out-of-order three-way TCP handshake:
Client sends SYN
28898
Client sends ACK
28899
Server sends SYN-ACK 28900
I don't believe that that the client really sent the ACK before
receiving the SYN-ACK.
So I'm beginning to think that the TurboCap card misorders frames when
it captures.
I captured using 'dumpcap -i 6 -w rollingcapture.pcap -b
filesize:50000'
TurboCap driver v1.3
Anyone else seen this issue?
--sk
Stuart Kendrick
FHCRC
___________________________________________________________________________
Sent via: Wireshark-users mailing
list<wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via: Wireshark-users mailing
list<wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via: Wireshark-users mailing list<wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via: Wireshark-users mailing list<wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
