Wireshark mailing list archives
Re: How does tshark "synchronize" multiple interfaces?
From: Jeff Morriss <jeff.morriss.ws () gmail com>
Date: Tue, 6 Feb 2018 12:35:05 -0500
I think you're just getting lucky. There's a long-standing bug complaining that the synchronization between interfaces, well, isn't: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8253 On Tue, Feb 6, 2018 at 12:07 PM, S. Jacobi <sjacobi () mailueberfall de> wrote:
On Tue, 6 Feb 2018 09:05:14 -0800 Richard Sharpe <realrichardsharpe () gmail com> wrote:On Tue, Feb 6, 2018 at 8:39 AM, S. Jacobi <sjacobi () mailueberfall de> wrote:We have a sender who send packets, each one gets a 16bit number. This number, I will call it packet ID, is strictly ascending, but starts again from zero if the 16bit range is reached. Then, the sender distributes the packet on multiple interfaces and we cannot make any assumptions how this is done. Packet IDs can appear arbitrarily on the interfaces, packet IDs can be reordered (although only in a very limited range), and packets need not be (and in fact are not) evenly divided onto the interfaces. On the receiving Our own capturing tool is rather simple. It spawns a thread for each interface, and the thread functions tries to read and process each incoming packet as fast as possible. This leads to the problem that if one interface receives more packets, the packet IDs read from different interfaces drift further apart, even going one full circle and so on and on. However, if we use tshark to capture from all interfaces and save the output to a file, the process this file with our tool, everything works fine. So, tshark needs to have some sort of synchronisation mechanism, to fairly distribute the reads from each interface. The packet timestamps in the capture file are not always ascending, there are a few jumps in it. I wasn't able to spot this mechanism in the code, so I'm grateful for any information on this.As far as I am aware it is the kernel that is doing this. Also, I believe that only Linux supports the any device.We are on Linux, yes, but we don't capture from any. tshark allows to specify multiple interfaces. ____________________________________________________________ _______________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject= unsubscribe
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- How does tshark "synchronize" multiple interfaces? S. Jacobi (Feb 06)
- Re: How does tshark "synchronize" multiple interfaces? Richard Sharpe (Feb 06)
- Re: How does tshark "synchronize" multiple interfaces? S. Jacobi (Feb 06)
- Re: How does tshark "synchronize" multiple interfaces? Richard Sharpe (Feb 06)
- Re: How does tshark "synchronize" multiple interfaces? Guy Harris (Feb 06)
- Re: How does tshark "synchronize" multiple interfaces? S. Jacobi (Feb 06)
- Re: How does tshark "synchronize" multiple interfaces? Francesco Fondelli (Feb 07)
- Re: How does tshark "synchronize" multiple interfaces? S. Jacobi (Feb 06)
- Re: How does tshark "synchronize" multiple interfaces? Richard Sharpe (Feb 06)
- Re: How does tshark "synchronize" multiple interfaces? Jeff Morriss (Feb 06)