Not tried this but what about using a switch to combine the traffic and send out via a SPAN port to a single capture interface?
https://blog.packet-foo.com/2016/12/the-network-capture-playbook-part-5-network-tap-basics/ "The Packet out of order problem If you want to avoid out of order captures using a full duplex TAP, the only reliable way is to use a professional FPGA based multi port capture cards that are able to merge the incoming packets within the card." https://osqa-ask.wireshark.org/questions/34102/packets-out-of-order/ packets out of order On Tue, Sep 21, 2021 at 2:58 AM Helge Kruse <helge.kr...@gmx.net> wrote: > I have two network nodes built with microcontrollers. These are not > capable to capture network traffic. So I want to monitor the > communication between these nodes with a tap > (https://www.amazon.com/gp/product/B07VZYPYV8). It works as described > here: https://blog.wains.be/2007/2007-02-01-diy-passive-network-tap/ > > Wireshark is capturing the data on two different Ethernet adapters in a > PC. This arises the problem, that the timestamps for the packets are > taken when the capture driver receives the packet. The result is a small > jitter of the timestamps. In many cases the TCP ACK is received before > the ack'd TCP segment is receive at the other Ethernet adapter. This > causes false-positive errors in the Wireshark log. These errors are > - TCP Sperious Retransmission > - TCP ACKed unseen segment > > Example: > Frame t src/dst Info > 31 0.862143 40->92 [TCP ACKed unseen segment] Seq=15 Ack=391 > 32 0.862226 92->40 [TCP Spurious Retransmission] Seq=66 Ack=15 > 33 0.863048 92->40 Seq=391 Ack=29 > 39 1.061595 40->92 Seq=29 Ack=456 > 40 1.061595 40->92 [TCP ACKed unseen segment] Seq=29 Ack=586 > 41 1.062206 92->40 [TCP Spurious Retransmission] Seq=456 Ack=29 > > > I want to use the capture to identify actual errors. These will be > hidden by the thousands of false positives. The data shown above is > already the output of reordercap. > > - How can Wireshark handle this small jitters and suppress false > positive errors? > > - Is there a known procedure to capture full-duplex while keeping the > original sequence? > > Best regards, > Helge > ___________________________________________________________________________ > Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org> > Archives: https://www.wireshark.org/lists/wireshark-users > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users > mailto:wireshark-users-requ...@wireshark.org > ?subject=unsubscribe >
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-requ...@wireshark.org?subject=unsubscribe
