Different order of packets in Wireshark vs tcpdump/libpcap?

0
votes

I noticed that for the transfer of one-packet file from remote FTP site to localhost on Linux, Wireshark can always capture the packets in correct order but not in tcpdump/libpcap or simple recvfrom on RAW_PACKET with promiscuous mode on.

In the former, the "transfer complete" response is always before the single data packet (in different connections so no TCP reordering), but in the latter the data packet always arrives first - which is clearly wrong according to the protocol and the implementation of FTP servers since "transfer complete" is sent after the data is sent out - and if the client has received it before data it'd stop waiting for data connection, which didn't happen since I can see the data clearly. So the libpcap/tcpdump actually captures packets in wrong order but no such problem in Wireshark?

How is this possible?? Wireshark also uses libpcap...

1
linuxwiresharkpcaptcpdumpsniffer
I found that if raw packets are captured by "ETH_P_IP" (IP packet only), the order from packets from different connections would be correct (as in Wireshark), but not by "ETH_P_ALL" which captures everything! Yet ETH_P_ALL is the default in tcpdump so it's actually broken?? - jiping-s
Both Wireshark and tcpdump use libpcap to capture traffic, and libpcap ALWAYS uses ETH_P_ALL. - user862787

1 Answers

1
votes

For FTP protocol payload is transferred in separate TCP connection, there is no promises about order of packets in parallel TCP connection (actually there is no promise in order of packets even in same TCP connection, your host should order them).

  1. server has two open sockets.
  2. it writes file to data socket
  3. immediately after that it writes "transfer complete" to control sockets. the difference between 2 & 3 is several microseconds.
  4. Packets run thru the internet, they could even choose different paths
  5. They came to your machine in random order.

p.s. also tcpdump file has number of packet and timestamp. Packets are not necessarily written sorted by timestamps. Wireshark could order them when showing, take a look on order field.