tcpdump overlapping packets
Hello everyone,
I am making some 30 seconds tcp measurements and I'm capturing the packets using tcpdump. When I open the pcap-file I notice that packet 11709 was captured at time 7.557846 seconds after tcpdump start whereas packet 11710 was captured after 188.463532 seconds. This can not be true as my measuremets is only 30 seconds long and I'm really capturing only the traffic between my server and my client. On the other side packet 12445 has a time of 188.935306 seconds whereas packet 12446 the time of 8.031106 seconds. Do you have any Idea what the problem could be?
the pcap file: https://drive.google.com/file/d/1cUmX...
The file is not available for download. Suggest you make access 'Public' for others to look at.
Are you reading the file on an other machine than where it was captured?
Is the time correct when you read the file on the capture machine itself with
tcpdump -n -ttttt -r file
?This sounds like a big endian / little endian swap. ( https://wiki.wireshark.org/Developmen... )
here is the new link, I hope this time will work https://drive.google.com/file/d/1cUmX...
@Andre I capture the pcap file on an other device using the following command: tcpdump -n -i eno1 -w server.pcap -s 66 "tcp port 5201"
then I import this file via SSH to my computer
Is the outputted time correct when you run this command on the 'other device'?
actually not as I only record 30 seconds long and it shows me a jump of 3 Minutes
11709 00:00:07.557846 IP 130.75.73.70.5201 > 80.187.113.171.21571: Flags [P.], seq 40544001:40549793, ack 38, win 4, options [nop,nop,TS val 2304235511 ecr 983608947], length 5792
11710 00:03:08.463532 IP 130.75.73.70.5201 > 80.187.113.171.21571: Flags [P.], seq 40549793:40555585, ack 38, win 4, options [nop,nop,TS val 2304235511 ecr 983608947], length 5792
and then:
12445 00:03:08.935306 IP 80.187.113.171.21571 > 130.75.73.70.5201: Flags [.], ack 43141713, win 24576, options [nop,nop,TS val 983609423 ecr 2304235953], length 0
12446 00:00:08.031106 IP 130.75.73.70.5201 > 80.187.113.171.21571: Flags [P.], seq 43374841:43383529, ack 38, win 4 ...(more)
Could it be as simple as a time change on the capturing system? System time gets pushed out by 3min, then gets corrected?