Wireshark · Wireshark-users: [Wireshark-users] Negative delta with UDP / SIP conversation

Wireshark-users: [Wireshark-users] Negative delta with UDP / SIP conversation

From: M Holt <m.iostreams@xxxxxxxxx>

Date: Thu, 20 Jun 2013 13:48:54 -0700

Hello folks,

I have captured a UDP/SIP conversation in a lab environment, from the perspective of an inline proxy device:

client ----- proxy ----- server
10.10.5.30 10.10.5.90 172.16.215.1

This proxy device changes the destination address, but retains the source address of the original client.

In my attached capture, there are 8 packets which were filtered based on Call-ID. Packet number 2 should be the beginning of the conversation, based on the little diagram above, but Wireshark is displaying this packet as number 2, even though it has a negative delta from packet 1.

Based on this, I have two questions:

1. How does frame data get populated? In other words, how does Wireshark know that frame 10, is not frame 9? Previously, I had thought this was always based on time, but that is clearly not the case.

2. In this specific example, what is causing Wireshark to re-order packets?

Thanks in advance,

-- Mike

|Time     | 10.10.5.30                            | 10.10.5.90                            |
|         |                   | 172.16.215.1      |                   
|0.000000 |         Request: REGISTER s           |                   |SIP: Request: REGISTER sip:10.10.5.90    (fetch bindings) | 
|         |(5062)   ------------------>  (5060)   |                   |
|-0.000322|         Request: REGISTER s           |                   |SIP: Request: REGISTER sip:10.10.5.90    (fetch bindings) | 
|         |(5061)   -------------------------------------->  (5060)   |
|0.011113 |         Status: 401 Unautho           |                   |SIP: Status: 401 Unauthorized    (0 bindings) | 
|         |(5062)   <------------------  (5060)   |                   |
|0.011121 |         Status: 401 Unautho           |                   |SIP: Status: 401 Unauthorized    (0 bindings) | 
|         |(5061)   <--------------------------------------  (5060)   |
|0.183769 |         Request: REGISTER s           |                   |SIP: Request: REGISTER sip:10.10.5.90    (fetch bindings) | 
|         |(5061)   -------------------------------------->  (5060)   |
|0.184231 |         Request: REGISTER s           |                   |SIP: Request: REGISTER sip:10.10.5.90    (fetch bindings) | 
|         |(5062)   ------------------>  (5060)   |                   |
|0.209465 |         Status: 200 OK    (           |                   |SIP: Status: 200 OK    (0 bindings) | 
|         |(5062)   <------------------  (5060)   |                   |
|0.209475 |         Status: 200 OK    (           |                   |SIP: Status: 200 OK    (0 bindings) | 
|         |(5061)   <--------------------------------------  (5060)   |

Attachment: sip.dmp
Description: Binary data

Follow-Ups:
- Re: [Wireshark-users] [WARNING - NOT VIRUS SCANNED] Negative delta with UDP / SIP conversation
  - From: Guy Harris

Prev by Date: Re: [Wireshark-users] TCP checksum is regarded as incorrect by wireshark, but still accepted by TCP stack
Next by Date: Re: [Wireshark-users] [WARNING - NOT VIRUS SCANNED] Negative delta with UDP / SIP conversation
Previous by thread: Re: [Wireshark-users] TCP checksum is regarded as incorrect by wireshark, but still accepted by TCP stack
Next by thread: Re: [Wireshark-users] [WARNING - NOT VIRUS SCANNED] Negative delta with UDP / SIP conversation
Index(es):
- Date
- Thread