Home page logo
/

wireshark logo Wireshark mailing list archives

Negative delta with UDP / SIP conversation
From: M Holt <m.iostreams () gmail com>
Date: Thu, 20 Jun 2013 13:48:54 -0700

Hello folks,

I have captured a UDP/SIP conversation in a lab environment, from the
perspective of an inline proxy device:

    client     -----     proxy     -----     server
10.10.5.30        10.10.5.90        172.16.215.1

This proxy device changes the destination address, but retains the source
address of the original client.

In my attached capture, there are 8 packets which were filtered based on
Call-ID.  Packet number 2 should be the beginning of the conversation,
based on the little diagram above, but Wireshark is displaying this packet
as number 2, even though it has a negative delta from packet 1.

Based on this, I have two questions:

 1.  How does frame data get populated?  In other words, how does Wireshark
know that frame 10, is not frame 9?  Previously, I had thought this was
always based on time, but that is clearly not the case.

 2. In this specific example, what is causing Wireshark to re-order packets?

Thanks in advance,

 -- Mike

Attachment: sipFlow.txt
Description:

Attachment: sip.dmp
Description:

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault