Mirroring capture out of order or reversed in sequence get reply before you request
I'm test mirroring device
one is get gear switch, with mirror port configured
one is a network tap DCSW-1005
one is a ixia port aggregator , TPA-CU3
3 Device used.
1 router 192.168.1.254
1 PC 192.168.1.223
1 PC for mirroring capture
I found no matter how to change port or change settings there is a high chance the mirroring capture is not in order. ICMP reply can be captured before ICMP request.
Try to disable any offloading functionality of the NIC card that is collecting the mirrored traffic.
Note that the time stamp of the reply is earlier than the time stamp of the request! This suggests that Wireshark is getting delivered the mirrored packets out of order, so which may be the result of the switch ("get gear" being the result of autoincorrect "fixing" "netgear"?) sending them out in the wrong order (with the request being sent almost .4 seconds after the reply), or due to the NIC or the networking stack on the machine running Wireshark handing them to Wireshark out of order and with weird time stamps.
I turn off following offload on NIC it still have disorder (but improved abit)
NS offload IPV4 checksum offload IPV6 checksum offload TCP checksum offload (V4 V6) UDP checksum offload (V4 V6) ARP offload large send offload
But I tried on Linux, it's all good everything in order.
Means windows capture can't be trusted.