Ask Your Question
0

Different packets order between Wireshark and application

asked 2020-10-28 14:58:39 +0000

becco981 gravatar image

Hi, I have simple Linux C application that receives an UDP multicast flow produced by another application running on the seme host (same IP/port). The UDP data has a sequence number in order to detect gaps at application level. What is happening is that sometimes the receiver application detects a gap in the UDP packets received but they result ordered in Wireshark. My question is, is it possible to have different order between the capture and the received data?

Thanks

edit retag flag offensive close merge delete
add a comment

2 Answers

Sort by ยป oldest newest most voted
0

answered 2020-10-28 22:00:21 +0000

Jaap gravatar image

What you have here are two sockets connected to the same port on the loopback interface and a capture on this loopback too, using a multicast path through the network stack. All this is highly Operating System dependant, so not really a question on Wireshark, but more on the implementation details of the network stack in the OS.

So, in this context, to come back to your question: yes, it is possible to have different order between the capture and the received data.

edit flag offensive delete link more

Comments

but more on the implementation details of the network stack in the OS.

And, on Linux, on the implementation details of libpcap. PF_PACKET sockets, which are what libpcap uses (except on REALLY ANCIENT Linux kernels) to capture packets, supply both received and sent packets. They take that literally, so if a process sends a packet to the host on which it's running, the PF_PACKET socket gets both the sent packet and the received packet. libpcap discards the sent packet, so you don't see two copies.

Guy Harris gravatar imageGuy Harris ( 2020-10-29 03:13:51 +0000 )edit
add a comment
0

answered 2020-10-28 15:23:59 +0000

hugo.vanderkooij gravatar image

That would highly depend on where the capture is taken.

If the receiver is too busy then that migh explain why the multicast packets are in good order on the network but not all seen by the client.

edit flag offensive delete link more

Comments

Sender and receiver are on the same host, so the capture is taken on that host. Receiver receives the packet, they're not dropped, but in a different order. Lets say on the Wireshark we see packet with payload containing sequence number 1 and immediately after another packet with sequence number 2. That should be what we would see at application layer, but, instead, we detect packet 2 before packet 1. Packets are not missing, they're in the wrong order.

becco981 gravatar imagebecco981 ( 2020-10-28 15:37:25 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-10-28 14:58:39 +0000

Seen: 548 times

Last updated: Oct 28 '20

Related questions

How do i export RTP-UDP(UNICAST and MULTICAST Stream to a VLC Playable-file

Broken save and copy function in Statistics/UDP Multicast Streams

Statistics > UDP Multicast > Display Filter > Apply Broken?

What cause UDP Multicast Stream Statistics to double count streams

check udp payload in wireshark

Why would I be getting "LEN 1 (Malformed Packet)"... "(Malformed Packet: RTCP)" on UDP Packets

My UDP packets aren't showing

Monitoring UDP data on wireshark shows ARP packet

How do I use the fragment_add_seq_check function in UDP packet reassembly?

Is it possible to use reassembly on non-split packets?

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2