I have a trace that was taken at various endpoints in the network and combined. If I view the trace by Date and Time of Day, packet 1 ends somewhere down in the display as I expect because it's not the first packet as viewed by Time. When I then use the edit>find packet (Packet details, string), and search for a value, the first found packet is Packet 1, and not the time sorted first packet where it also exists. It is like the find packet function defaults to sort by packet number. Is this a bug? Can I change an option or setting so that WS will find the string when sorted by Time? This behavior has been noted against : Windows 7 Enterprise / Version 1.8.6 (SVN Rev 48142 from /trunk-1.8) OS X Yosemite / Verions 1.99.9 (v1.99.9-0-g52a4a78) asked 09 Oct '15, 05:42  dumbmick |
2 Answers:
Have you tried using reordercap to sort the packets into timestamp order? Not sure if it's in your quite old Windows version, but that's an easy upgrade. answered 09 Oct '15, 06:10  grahamb ♦ edited 09 Oct '15, 06:11 |
First, if you really want to merge the trace files, consider using reordercap as suggested by Graham. But merged traces are hard to read. Wireshark will think you have retransmissions when you don't. Consider keeping the trace files separate. You can have multiple instances of Wireshark running, so you can have multiple trace files open at the same time in order to compare. The Find dialog will find all packets that match your search. Just keep using Find Next (Ctrl-N), but it will find them in order of packet number, not in the order in which they are displayed. answered 09 Oct '15, 08:25  Jim Aragon |
Thanks Graham, Where should the "reordercap" be located?
It's a command line tool in the same directory as the Wireshark executable. The documentation for it can be found here.