Save a sorted file using Wireshark

Question

I have sorted my 822 MB pcap file by source IP address in ascending order using Wireshark (I tried with tshark on command line, using |sort, but nothing would happen, stalled, had to ^C). Bt now I need to save that sorted display to another pcap file for further filtering. I tried Export>Specified Packets ,and Export>Packet Dissections, and both save the original file, the unsorted one. How can I save this sorted display? Thank you.

Answer 1

One (slow) way to obtain that goal would be to use scripting. The suggestion below is not tested so you'll probably have to debug it.

At first pass, you'd obtain the list of all source addresses occurring in the capture file, something like:

ip_list = $(tshark -r your/capture/file -T fields -e ip.src | sort -u)

and prepare an empty pcap file to merge the rest with:

tshark -r your/capture/file -Y usb -w your/result/file

Next, you would use a "foreach" cycle over the list:

for ip in $ip_list ; do
    tshark -r your/capture/file -Y "ip.src == $ip" -w /tmp/aux_in_file
    mergecap -a your/result/file /tmp/aux/in_file -w /tmp/aux_out_file
    mv /tmp/aux_out_file your/result/file
done

Clarifications:

-Y usb is an example of a display filter which won't let a single frame through if the input has been captured on an Ethernet interface
without -w file/name, tshark produces a text output, one line per frame, and sends it to stdout so you pipe it to sort; with -w file/name, the output is a pcap(ng)-formatted file and there is nothing on stdout that sort could handle.
the -a option to mergecap makes it append the second input file to the first one, rather than actually merging them, i.e. ordering frames from both up to their timestamps, which is the default behaviour.