Re: TurboCap card / out-of-order frames

["Gianluca Varenni" <gianluca.varenni () cacetech com>]

The aggregation that TurboCap performs is done at the host level, after the 
packets have been timestamped (always at the host level).
The precision of such timestamps is in the order of some microseconds, so if 
two packets (either on the same port or on two ports of the same board) 
arrive "too close" (in the order of 1-3 microseconds), it's possible that 
they get the same timestamp and when you merge the two traffic streams, the 
packets are out-of-order or nearly out-of-order.

In your specific trace file, in the case of the SYN/ACK sequence, packets 
28898 and 28899 have the same exact timestamp (for the reason above) and 
during the aggregation the ACK packet was put before the SYN-ACK one.

In the case of packet #22035, it's a bug in the TurboCap aggregation. The 
timestamp goes backwards (that's the reason for the negative timestamp 
delta).
I will try to replicate this out-of-order issue in the lab.

Have a nice day
GV


--------------------------------------------------
From: "Stuart Kendrick" <skendric () fhcrc org>
Sent: Thursday, January 14, 2010 1:33 PM
To: "Community support list for Wireshark" <wireshark-users () wireshark org>
Cc: "Gianluca Varenni" <gianluca.varenni () cacetech com>
Subject: Re: [Wireshark-users] TurboCap card / out-of-order frames

> nope
>
> --sk
>
> On 1/14/2010 1:00 PM, Gianluca Varenni wrote:
> > Is it an aggregating tap?
> >
> > GV
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe