'Re: [Wireshark-users] Negative time difference between two following packets. frame.time_delta is ne'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wireshark-users
Subject:    Re: [Wireshark-users] Negative time difference between two following packets. frame.time_delta is ne
From:       Jasper Bongertz <jasper.sharklists () packet-foo ! com>
Date:       2013-04-16 14:40:49
Message-ID: 538087333.20130416164049 () packet-foo ! com
[Download RAW message or body]

[Attachment #2 (text/html)]

<html><head><title>Re: [Wireshark-users] Negative time difference between two \
following packets. frame.time_delta is negative</title> <META http-equiv=Content-Type \
content="text/html; charset=iso-8859-15"> </head>
<body>
<span style=" font-family:'Courier New'; font-size: 9pt;">Hello Jaroslav,<br>
<br>
it is probably caused by the capture setup - since you're talking about tap/splitter \
I guess you're capturing on multiple cards at the same time. In that case the \
timestamps are most likely set by the timers on the network card but sometimes \
"earlier" frames are delivered later to the capture process running on the PC. That \
leads to the absolute timestamps arriving sort of "out of order" - and so you'll see \
negative delta times. You can reorder your frames according to the timestamps by \
using the command line tool "reordercap" which is part of the latest Wireshark \
developer builds.<br> <br>
Cheers,<br>
Jasper<br>
<br>
Tuesday, April 16, 2013, 8:41:55 AM, you wrote:<br>
<br>
</span><table>
<tr>
<td width=3 bgcolor= #0000ff><br>
</td>
<td width=1154><span style=" font-family:'calibri'; font-size: 11pt;">Hi!<br>
&nbsp;<br>
I have a capture taken with an Ethernet tap/splitter/monitor where several packets \
have a negative time difference to the previous packet, i.e. frame.time_delta is \
below zero. Actually, 13.4 % of all packets in the file have this characteristic, \
which can easily be seen by applying the filter&nbsp;<br> &nbsp;<br>
frame.time_delta &lt; 0<br>
&nbsp;<br>
It is only packets that go in one direction, e.g. from server to client, that appear \
to get negative time delta and this leads me to think that whatever causes this is \
not only due to some fault or feature in Wireshark itself.<br> &nbsp;<br>
What can this be caused by?<br>
&nbsp;<br>
Best Regards,<br>
Jaroslav Kazejev</td>
</tr>
</table>
<br><br>
<br>
<br>
</body></html>



___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@wireshark.org?subject=unsubscribe

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic