tshark capture display out of chronological order?
New tshark user, self-educating networker, trying to debug a proxy server. On the server machine, looking at standard output of this command:
sudo tshark -f not\ port\ 22 -i enp2s0 -f host\ 192.168.50.212 -i wg0 -l'
enp2s0 is where the proxy client connects. 192.168.1.50.212 is the address of enp2s0 (-p isn't working for me, hence this filter and the not port 2 one; that's another question). wg0 is the virtual interface of the local end of a WireGuard VPN tunnel.
I see the following, where 10.4.0.2 is the address of wg0 and "..." denotes me truncating the line:
502 47.114586667 192.168.50.200 → 192.168.50.212 HTTP 277 CONNECT ifconfig.me ...
503 47.114636300 192.168.50.212 → 192.168.50.200 TCP 66 8888 → 57666 [ACK] ...
504 47.115387336 10.4.0.2 → 1.1.1.2 DNS 57 Standard query 0x7a6e A ifconfig.me
505 47.115428139 10.4.0.2 → 1.1.1.2 DNS 57 Standard query 0x8f64 AAAA ifconfig.me
506 47.319604790 192.168.50.212 → 192.168.50.200 TCP 170 HTTP/1.0 500 Unable to connect ...
507 47.319861769 192.168.50.200 → 192.168.50.212 TCP 66 57666 → 8888 [ACK] ...
508 47.319917721 192.168.50.212 → 192.168.50.200 TCP 271 8888 → 57666 [PSH, ACK] ...
509 47.320158898 192.168.50.200 → 192.168.50.212 TCP 66 57666 → 8888 [ACK] ...
510 47.320198621 192.168.50.212 → 192.168.50.200 HTTP/XML 408 HTTP/1.0 500 Unable to connect
511 47.320428367 192.168.50.200 → 192.168.50.212 TCP 66 57666 → 8888 [FIN, ACK] ...
512 47.320428585 192.168.50.200 → 192.168.50.212 TCP 60 57666 → 8888 [RST] ...
513 47.320469557 192.168.50.212 → 192.168.50.200 TCP 66 8888 → 57666 [ACK] ...
514 47.320642196 192.168.50.200 → 192.168.50.212 TCP 60 57666 → 8888 [RST] ...
515 47.319108832 1.1.1.2 → 10.4.0.2 DNS 128 Standard query response 0x8f64 AAAA ifconfig.me ...
516 47.319109241 1.1.1.2 → 10.4.0.2 DNS 73 Standard query response 0x7a6e A ifconfig.me A 34.117.59.81
At first I wondered why at #506 the proxy is sending "Unable to connect" to the client immediately after sending the DNS query into the tunnel at #504-505. Then I noticed the timestamps. #515-516 are the DNS responses received before #506. (I'm still wondering why the proxy would report "Unable to connect," but I think that's a separate issue.)
Is there anything I can do to have tshark display output in chronological order?
Quickest would be to save the
tsharkcapture to a file, run it through reordercap and read the sorted file withtshark.@Chuckc OK, thanks. I see that
info reordercapsuggests that multiple sources could result in some out-of-order output, and I was capturing from two interfaces.