First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

tshark capture display out of chronological order?

New tshark user, self-educating networker, trying to debug a proxy server. On the server machine, looking at standard output of this command:
sudo tshark -f not\ port\ 22 -i enp2s0 -f host\ 192.168.50.212 -i wg0 -l'

enp2s0 is where the proxy client connects. 192.168.1.50.212 is the address of enp2s0 (-p isn't working for me, hence this filter and the not port 2 one; that's another question). wg0 is the virtual interface of the local end of a WireGuard VPN tunnel.

I see the following, where 10.4.0.2 is the address of wg0 and "..." denotes me truncating the line:

 502 47.114586667 192.168.50.200 → 192.168.50.212 HTTP     277 CONNECT ifconfig.me ...  
 503 47.114636300 192.168.50.212 → 192.168.50.200 TCP       66 8888 → 57666 [ACK] ...  
 504 47.115387336 10.4.0.2       → 1.1.1.2        DNS       57 Standard query 0x7a6e A ifconfig.me  
 505 47.115428139 10.4.0.2       → 1.1.1.2        DNS       57 Standard query 0x8f64 AAAA ifconfig.me  
 506 47.319604790 192.168.50.212 → 192.168.50.200 TCP      170 HTTP/1.0 500 Unable to connect ...  
 507 47.319861769 192.168.50.200 → 192.168.50.212 TCP       66 57666 → 8888 [ACK] ...  
 508 47.319917721 192.168.50.212 → 192.168.50.200 TCP      271 8888 → 57666 [PSH, ACK] ...  
 509 47.320158898 192.168.50.200 → 192.168.50.212 TCP       66 57666 → 8888 [ACK] ...  
 510 47.320198621 192.168.50.212 → 192.168.50.200 HTTP/XML 408 HTTP/1.0 500 Unable to connect  
 511 47.320428367 192.168.50.200 → 192.168.50.212 TCP       66 57666 → 8888 [FIN, ACK]  ...  
 512 47.320428585 192.168.50.200 → 192.168.50.212 TCP       60 57666 → 8888 [RST] ...  
 513 47.320469557 192.168.50.212 → 192.168.50.200 TCP       66 8888 → 57666 [ACK] ...  
 514 47.320642196 192.168.50.200 → 192.168.50.212 TCP       60 57666 → 8888 [RST] ...  
 515 47.319108832 1.1.1.2        → 10.4.0.2       DNS      128 Standard query response 0x8f64 AAAA ifconfig.me ...  
 516 47.319109241 1.1.1.2        → 10.4.0.2       DNS       73 Standard query response 0x7a6e A ifconfig.me A 34.117.59.81

At first I wondered why at #506 the proxy is sending "Unable to connect" to the client immediately after sending the DNS query into the tunnel at #504-505. Then I noticed the timestamps. #515-516 are the DNS responses received before #506. (I'm still wondering why the proxy would report "Unable to connect," but I think that's a separate issue.)

Is there anything I can do to have tshark display output in chronological order?

brec's avatar
18
brec
asked 2022-06-18 16:56:26 +0000
grahamb's avatar
23.8k
grahamb
updated 2022-06-18 17:22:41 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Quickest would be to save the tshark capture to a file, run it through reordercap and read the sorted file with tshark.

Chuckc's avatar Chuckc (2022-06-19 00:29:28 +0000) edit
more
  • delete

@Chuckc OK, thanks. I see that info reordercap suggests that multiple sources could result in some out-of-order output, and I was capturing from two interfaces.

brec's avatar brec (2022-06-19 03:18:21 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Based on @Chuckc's comment to my question, I think that, strictly speaking, there's not an answer to getting "tshark display output [always in strictly] chronological order" with multiple interfaces being captured. But the suggestion of using reordercap seems like the best answer.

P.S. I don't have enough karma as yet to accept my own answer, so if this answer is accepted it was by some other kind soul.

brec's avatar
18
brec
answered 2022-06-19 03:21:40 +0000, updated 2022-06-19 03:24:02 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer