Menu
▾
▴
1 Attachments
#35 Strange negative timestamp on one packet
I am seeing a problem in the pcap files written for my calls where SIP RING packet or for RTP packet will have a timestampe of approx 17-20 seconds BEFORE the previous packet, causing wireshark to misprint the info. On the exact same machine and interface at the same time I am runnung pcapsipdump I am not seeing the issue.
I have two files - data captured with pcapdump and data captured with dumpcap taken at the exact same time from the same interface for the same call setup. You will see the timestamp is incorrect on packet 3 in pcapsipdump-example.pcap. Here is a screenshot of the file from pcapsipdump
That's weird.
If you feed a known-good .pcap file to the pcapsipdump (with -r option), do you see the same problem (which would squarely imply internal pcapsipdump's logic in this bug), or do you only see this when capturing on the interface directly (which would possibly imply a bug in how pcapsipdump talks to libpcap).
Also, which OS & libpcap version are on the host pcapsipdump is running?
THe platform is Mac
Mac-mini:Traces root$ tcpdump -h
tcpdump version tcpdump version 4.9.2 -- Apple version 83.200.2
libpcap version 1.8.1 -- Apple version 79.200.4
LibreSSL 2.2.7
System Version: macOS 10.14.3 (18D42)
Kernel Version: Darwin 18.2.0
From what I can determine, only running pcapsipdump watching the interface does this. Passing the pcap files manually I don't see the issue.
Thanks
Is there anything I can colelct for you that might help understand why yhis is happening?
I'm having the same problem in FreeBSD 11.3-RELEASE #0 r349754
libpcap version 1.9.0