cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Field tip - packet captures are reordered on HS AMD

jeroen_hautekee
Dynatrace Guide
Dynatrace Guide

Hi,

I've noticed that packet captures using "Smart packet capture" in DCRUM are now completely reordered since we migrated to HS-Amd.

It's explainable as the processing of the packets are more parallellized and buffered for performance.

So if you ever have to analyze one of these traces, and need to correlate events based on time - then don't forget to sort your wireshark UI on the packet timestamp column (instead of the default 'No')

WKR, Jeroen

1 REPLY 1

Krzysztof_Ziemi
Dynatrace Pro
Dynatrace Pro

Well, yes that's the reality: packets collected from multiple interfaces, upon recording to a file, are not sorted by their timestamps. We only maintain packets order within each TCP session, other than that the partial, interface-sourced traces, are just concatenated.

This is done for performance reasons. In case of large packet traces the overhead required to sort the packets may be significant and we didn't want to risk extra load on the production AMD, while sorting can be done at the analysis time, offline. The consequence is a need to sort packets in the beginning of the analysis.

We will consider whether sorting could be added in the future releases.

Best regards