This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Using find packet in a combined trace

0

I have a trace that was taken at various endpoints in the network and combined. If I view the trace by Date and Time of Day, packet 1 ends somewhere down in the display as I expect because it's not the first packet as viewed by Time. When I then use the edit>find packet (Packet details, string), and search for a value, the first found packet is Packet 1, and not the time sorted first packet where it also exists.

It is like the find packet function defaults to sort by packet number.

Is this a bug?

Can I change an option or setting so that WS will find the string when sorted by Time?

This behavior has been noted against : Windows 7 Enterprise / Version 1.8.6 (SVN Rev 48142 from /trunk-1.8) OS X Yosemite / Verions 1.99.9 (v1.99.9-0-g52a4a78)

asked 09 Oct '15, 05:42

dumbmick's gravatar image

dumbmick
6112
accept rate: 0%


2 Answers:

0

Have you tried using reordercap to sort the packets into timestamp order? Not sure if it's in your quite old Windows version, but that's an easy upgrade.

answered 09 Oct '15, 06:10

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 09 Oct '15, 06:11

Thanks Graham, Where should the "reordercap" be located?

(09 Oct '15, 06:38) dumbmick

It's a command line tool in the same directory as the Wireshark executable. The documentation for it can be found here.

(09 Oct '15, 06:49) grahamb ♦

0

First, if you really want to merge the trace files, consider using reordercap as suggested by Graham.

But merged traces are hard to read. Wireshark will think you have retransmissions when you don't. Consider keeping the trace files separate. You can have multiple instances of Wireshark running, so you can have multiple trace files open at the same time in order to compare.

The Find dialog will find all packets that match your search. Just keep using Find Next (Ctrl-N), but it will find them in order of packet number, not in the order in which they are displayed.

answered 09 Oct '15, 08:25

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%