How frame number determined

retag add tags

I have SS7 message bellow, msg num 3 and 4 coming on the same time how tshark determine the msg order?

tshark.exe -r  LU.pcap-T fields -E header=y -e frame.number -e frame.time -e frame.time_delta_displayed  -e mtp3.opc -e mtp3.dpc -e tcap.invokeID
frame.number    frame.time      frame.time_delta_displayed      mtp3.opc        mtp3.dpc        tcap.invokeID
1       Aug 11, 2020 06:08:47.692000000 SE Asia Standard Time   0.000000000     125   134   -22
2       Aug 11, 2020 06:08:47.709000000 SE Asia Standard Time   0.017000000     134   16    -22
3       Aug 11, 2020 06:08:48.099000000 SE Asia Standard Time   0.390000000     17    134   -21
4       Aug 11, 2020 06:08:48.099000000 SE Asia Standard Time   0.000000000     17    134   -20
5       Aug 11, 2020 06:08:48.117000000 SE Asia Standard Time   0.018000000     134   125   -20
6       Aug 11, 2020 06:08:48.122000000 SE Asia Standard Time   0.005000000     134   125   -21
7       Aug 11, 2020 06:09:02.121000000 SE Asia Standard Time   13.999000000    17    134   -22
8       Aug 11, 2020 06:09:02.140000000 SE Asia Standard Time   0.019000000     134   125   -22

fira

asked 2020-08-13 03:51:02 +0000

edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

The packet number is based on the order in which the packets appear in the capture file (for a live capture, packets are still written to a file, but they're written in the order in which they're delivered to libpcap/WinPcap/Npcap).

From the ".exe", this is presumably Windows; the default time stamp mechanism used by both WinPcap and Npcap doesn't give high-resolution tie stamps - note that all digits after the first 3 following the decimal point are 0, so that's a resolution of .001 seconds. That's why they appear to have arrived at the same time.

(Note also that, on most if not all platforms on which Wireshark can capture packets, a packet may be time stamped some amount of time after it's received, so time stamps aren't very precise. Unless you use hardware capture nodes with hardware time stamping, e.g., ProfiTap)

19.9k

Guy Harris

answered 2020-08-13 07:12:41 +0000

13.7k

Jaap

updated 2020-08-13 07:39:15 +0000

edit flag offensive 0 remove flag delete link

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

How frame number determined edit

Comments

1 Answer

Comments