mailing list archives
Negative delta with UDP / SIP conversation
From: M Holt <m.iostreams () gmail com>
Date: Thu, 20 Jun 2013 13:48:54 -0700
I have captured a UDP/SIP conversation in a lab environment, from the
perspective of an inline proxy device:
client ----- proxy ----- server
10.10.5.30 10.10.5.90 172.16.215.1
This proxy device changes the destination address, but retains the source
address of the original client.
In my attached capture, there are 8 packets which were filtered based on
Call-ID. Packet number 2 should be the beginning of the conversation,
based on the little diagram above, but Wireshark is displaying this packet
as number 2, even though it has a negative delta from packet 1.
Based on this, I have two questions:
1. How does frame data get populated? In other words, how does Wireshark
know that frame 10, is not frame 9? Previously, I had thought this was
always based on time, but that is clearly not the case.
2. In this specific example, what is causing Wireshark to re-order packets?
Thanks in advance,
Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>
mailto:wireshark-users-request () wireshark org?subject=unsubscribe