Ask Your Question
0

How frame number determined

asked 2020-08-13 03:51:02 +0000

fira gravatar image

I have SS7 message bellow, msg num 3 and 4 coming on the same time how tshark determine the msg order?

tshark.exe -r  LU.pcap-T fields -E header=y -e frame.number -e frame.time -e frame.time_delta_displayed  -e mtp3.opc -e mtp3.dpc -e tcap.invokeID
frame.number    frame.time      frame.time_delta_displayed      mtp3.opc        mtp3.dpc        tcap.invokeID
1       Aug 11, 2020 06:08:47.692000000 SE Asia Standard Time   0.000000000     125   134   -22
2       Aug 11, 2020 06:08:47.709000000 SE Asia Standard Time   0.017000000     134   16    -22
3       Aug 11, 2020 06:08:48.099000000 SE Asia Standard Time   0.390000000     17    134   -21
4       Aug 11, 2020 06:08:48.099000000 SE Asia Standard Time   0.000000000     17    134   -20
5       Aug 11, 2020 06:08:48.117000000 SE Asia Standard Time   0.018000000     134   125   -20
6       Aug 11, 2020 06:08:48.122000000 SE Asia Standard Time   0.005000000     134   125   -21
7       Aug 11, 2020 06:09:02.121000000 SE Asia Standard Time   13.999000000    17    134   -22
8       Aug 11, 2020 06:09:02.140000000 SE Asia Standard Time   0.019000000     134   125   -22
edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
1

answered 2020-08-13 07:12:41 +0000

Guy Harris gravatar image

updated 2020-08-13 07:39:15 +0000

Jaap gravatar image

The packet number is based on the order in which the packets appear in the capture file (for a live capture, packets are still written to a file, but they're written in the order in which they're delivered to libpcap/WinPcap/Npcap).

From the ".exe", this is presumably Windows; the default time stamp mechanism used by both WinPcap and Npcap doesn't give high-resolution tie stamps - note that all digits after the first 3 following the decimal point are 0, so that's a resolution of .001 seconds. That's why they appear to have arrived at the same time.

(Note also that, on most if not all platforms on which Wireshark can capture packets, a packet may be time stamped some amount of time after it's received, so time stamps aren't very precise. Unless you use hardware capture nodes with hardware time stamping, e.g., ProfiTap)

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-08-13 03:51:02 +0000

Seen: 1,621 times

Last updated: Aug 13 '20

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2