Ask Your Question
0

How do I reorder packets by time stamp if they're out-of-order in the file?

asked 2023-05-04 14:07:45 +0000

Coronitabob gravatar image

updated 2023-05-04 19:39:34 +0000

Guy Harris gravatar image

Hello everyone. I have a virtual machine with several network cards to receive traces from several VLANs. The problem is that sometimes the chronological order of packet reception does not match with the actual date. I use it to verify SIP calls and it is difficult to see the information if you don't have it sorted. A SIP call is shown in order of packet arrival and I don't see how to change it to the date of the packet. Does anyone have any idea. Surely there is a buffer before writing the packet with a time delay to be able to sort. There may be a difference between packets of 0.01sg approx. Thank you very much for your help.

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2023-05-04 19:44:46 +0000

Guy Harris gravatar image

Surely there is a buffer before writing the packet with a time delay to be able to sort.

It would be possible to have a program that captures packets buffer up a set of packets and write out batches of packets, sorting the packets in that batch by the time stamp delivered by the capture mechanism.

However, the libpcap library (used by tcpdump, Wireshark's capture program dumpcap, and some other programs) does not sort packets in a batch by time stamp before delivering them to programs that use it, and neither tcpdump nor dumpcap don't sort packets in a batch by time stamp by writing them. (The OS capture mechanisms that deliver packets to libpcap on various platforms don't sort packets, either.)

Therefore, Chris Maynard's suggestion that you use reordercap is probably the best way to handle this problem.

edit flag offensive delete link more

Comments

Thank you very much for the quick response!!!! The reordercap command is working correctly. It was not the solution I was expecting but I understand your explanation. Thank you very much

Coronitabob gravatar imageCoronitabob ( 2023-05-05 07:17:49 +0000 )edit

Thank Chris first - he responded first and indicated what to do, I just noted that sorting by time sta ispmn't done in most capture paths, so you'd need to use reordercap.

Guy Harris gravatar imageGuy Harris ( 2023-05-05 09:58:57 +0000 )edit
0

answered 2023-05-04 18:39:35 +0000

cmaynard gravatar image

If you want to reorder packets based on timestamp, then you might want to try reordercap.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-05-04 14:07:45 +0000

Seen: 1,407 times

Last updated: May 05 '23