1 | initial version |
Surely there is a buffer before writing the packet with a time delay to be able to sort.
It would be possible to have a program that captures packets buffer up a set of packets and write out batches of packets, sorting the packets in that batch by the time stamp delivered by the capture mechanism.
However, the libpcap library (used by tcpdump, Wireshark's capture program dumpcap, and some other programs) does not sort packets in a batch by time stamp before delivering them to programs that use it, and neither tcpdump nor dumpcap don't sort packets in a batch by time stamp by writing them. (The OS capture mechanisms that deliver packets to libpcap on various platforms don't sort packets, either.)
Therefore, Chris Maynard's suggestion that you use reordercap is probably the best way to handle this problem.