First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Different packets order between Wireshark and application

Hi, I have simple Linux C application that receives an UDP multicast flow produced by another application running on the seme host (same IP/port). The UDP data has a sequence number in order to detect gaps at application level. What is happening is that sometimes the receiver application detects a gap in the UDP packets received but they result ordered in Wireshark. My question is, is it possible to have different order between the capture and the received data?

Thanks

becco981's avatar
3
becco981
asked 2020-10-28 14:58:39 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

0

That would highly depend on where the capture is taken.

If the receiver is too busy then that migh explain why the multicast packets are in good order on the network but not all seen by the client.

hugo.vanderkooij's avatar
76
hugo.vanderkooij
answered 2020-10-28 15:23:59 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Sender and receiver are on the same host, so the capture is taken on that host. Receiver receives the packet, they're not dropped, but in a different order. Lets say on the Wireshark we see packet with payload containing sequence number 1 and immediately after another packet with sequence number 2. That should be what we would see at application layer, but, instead, we detect packet 2 before packet 1. Packets are not missing, they're in the wrong order.

becco981's avatar becco981 (2020-10-28 15:37:25 +0000) edit
more
  • delete
add a comment see more comments
0

What you have here are two sockets connected to the same port on the loopback interface and a capture on this loopback too, using a multicast path through the network stack. All this is highly Operating System dependant, so not really a question on Wireshark, but more on the implementation details of the network stack in the OS.

So, in this context, to come back to your question: yes, it is possible to have different order between the capture and the received data.

Jaap's avatar
13.7k
Jaap
answered 2020-10-28 22:00:21 +0000
edit flag offensive 0 remove flag delete link
more

Comments

but more on the implementation details of the network stack in the OS.

And, on Linux, on the implementation details of libpcap. PF_PACKET sockets, which are what libpcap uses (except on REALLY ANCIENT Linux kernels) to capture packets, supply both received and sent packets. They take that literally, so if a process sends a packet to the host on which it's running, the PF_PACKET socket gets both the sent packet and the received packet. libpcap discards the sent packet, so you don't see two copies.

Guy Harris's avatar Guy Harris (2020-10-29 03:13:51 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer