Hi, I am trying to use mergecap to correct a packet ordering issue across multiple files from the same interface on an appliance, but it isn't working. In original file, timestamps do not monotonically increase based on the packet order in the file. I would like help in how to use mergecap or some other tool to re-order based on timestamp. Details: I have an appliance that uses an ASIC to apply rules to certain packets, then forward them out various interfaces. This appliance has a pcap utility that allows the ASIC to feed packets from the ASIC to the capture processing running on host OS. When we capture with the utility, packets come in out of order; that is, the timestamps are correct (as confirmed by external capture device in front of and behind the appliance), but sequential packets may have timestamps that vary forwards or backwards. I can't post the packets but here's an example:
The reason they do this is, in my opinion because when they write to disk, they're sorting chunks of packets on the sub-second portion of the timestamp rather than on the full timestamp, but that's irrelevant for this question. When I use mergecap (default, not with -a option) on either a single or multiple files, it doesn't re-order the packets as I thought it would. Does mergecap not actually read the timestamps? Is there a limit on how many frames ahead/behind it can look for the reordering process? Thanks, Tim asked 30 Aug '16, 08:39 CMH_Tim |
2 Answers:
Have you tried using reordercap? answered 30 Aug '16, 10:10 cmaynard ♦♦ |
Have you tried reordercap? DESCRIPTION Reordercap is a program that reads an input capture file and rewrites the frames to an output capture file, but with the frames sorted by increasing timestamp. This functionality may be useful when capture files have been created by combining frames from more than one well-synchronised source, but the frames have not been combined in strict time order. Reordercap writes the output capture file in the same format as the input capture file. Reordercap is able to detect, read and write the same capture files that are supported by Wireshark. answered 30 Aug '16, 10:10 BruteForce Looks like we had a race condition on the forum cmaynard. Concur. (30 Aug '16, 10:11) BruteForce Yes, I suppose you were in the middle of composing your answer when mine had just posted. (30 Aug '16, 10:37) cmaynard ♦♦ |
Thanks to you both. Reordercap did work on the individual and unmerged files to get the traces cleaned up. Guess I just used the wrong search terms when looking for an answer.
I marked cmaynard's response as the answer since it apparently came in slightly ahead. What's appropriate in terms of awarding points or splitting credit for another near-simultaneous answer?
looking further at mergecap's documentation, I did see that it explicitly states that it assumes each capture file is in order, so it makes sense for sequential capture files from a given interface, it would have no effect on ordering.
What's appropriate in terms of awarding points or splitting credit for another near-simultaneous answer?
Since it seems your intention to split the karma, I awarded @BruteForce 1/2 the points.