Hello: I am using a PC with two NICs to capture both directions of traffic using a Gigamon Copper tap. Unfortunately it appears that one of the NICs is faster than the other in writing to the unified capture file and I have a large number of "TCP ACKed unseen segment" tagged packets in the file. If I sort by time stamp the packets are in the correct order but Wireshark appears to interpret based on the packet number rather than the time stamp.
I was hoping that mergecap would give me a workaround for this situation, but mergecap assumes that all packets within a capture file are already in correct order. I have also tried editcap's -S function to adjust the timestamps.
Any ideas? Is there a utility that will force a resort of packets by time stamp?
asked 31 Jan '13, 14:38
edited 01 Feb '13, 07:29
The development version of Wireshark has a utility called 'reordercap' which does just this. From the man page:
You might want to pick up a development build of Wireshark to check it out.
answered 01 Feb ‘13, 06:41
Yes, there is a utility that can do this, but it is not publicly available yet. I'm currently writing a windows based tool for working with pcapng files that will offer a couple of functions to help with the daily work of analysts.
Right now, I'm spending most time on coding trace file anonymization functionality which is more comfortable than what is already out there. But in the process of building my data processing objects I implemented a function that can read a pcapng file and write it back to disk with all frames sorted by timestamp (which, as you already mentioned, happens a lot when capturing on multiple NICs at the same time). That sorting function worked well in a quick test I did last week, but I haven't tested it on a larger scale, and the maximum file size limit right now is still 2GB per file. The current plan is to demo/release the first version of that tool in a session at this year's Sharkfest conference (the web pages are not yet updated for 2013).
answered 31 Jan '13, 14:54