Mirroring capture out of order or reversed in sequence get reply before you request

I'm test mirroring device

one is get gear switch, with mirror port configured

one is a network tap DCSW-1005

one is a ixia port aggregator , TPA-CU3

3 Device used.

1 router 192.168.1.254

1 PC 192.168.1.223

1 PC for mirroring capture

I found no matter how to change port or change settings there is a high chance the mirroring capture is not in order. ICMP reply can be captured before ICMP request.

image description

beterhans's avatar
1
beterhans
asked 2022-09-02 05:17:21 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Try to disable any offloading functionality of the NIC card that is collecting the mirrored traffic.

Bob Jones's avatar Bob Jones (2022-09-02 09:42:00 +0000) edit
more
  • delete

Note that the time stamp of the reply is earlier than the time stamp of the request! This suggests that Wireshark is getting delivered the mirrored packets out of order, so which may be the result of the switch ("get gear" being the result of autoincorrect "fixing" "netgear"?) sending them out in the wrong order (with the request being sent almost .4 seconds after the reply), or due to the NIC or the networking stack on the machine running Wireshark handing them to Wireshark out of order and with weird time stamps.

Guy Harris's avatar Guy Harris (2022-09-04 07:32:18 +0000) edit
more
  • delete

I turn off following offload on NIC it still have disorder (but improved abit)

NS offload IPV4 checksum offload IPV6 checksum offload TCP checksum offload (V4 V6) UDP checksum offload (V4 V6) ARP offload large send offload

But I tried on Linux, it's all good everything in order.

Means windows capture can't be trusted.

beterhans's avatar beterhans (2022-09-20 06:42:34 +0000) edit
more
  • delete
add a comment see more comments