THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How do I reorder packets by time stamp if they're out-of-order in the file?

  • retag add tags

Hello everyone. I have a virtual machine with several network cards to receive traces from several VLANs. The problem is that sometimes the chronological order of packet reception does not match with the actual date. I use it to verify SIP calls and it is difficult to see the information if you don't have it sorted. A SIP call is shown in order of packet arrival and I don't see how to change it to the date of the packet. Does anyone have any idea. Surely there is a buffer before writing the packet with a time delay to be able to sort. There may be a difference between packets of 0.01sg approx. Thank you very much for your help.

Coronitabob's avatar
1
Coronitabob
asked 2023-05-04 14:07:45 +0000
Guy Harris's avatar
19.9k
Guy Harris
updated 2023-05-04 19:39:34 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

0

If you want to reorder packets based on timestamp, then you might want to try reordercap.

cmaynard's avatar
11.1k
cmaynard
answered 2023-05-04 18:39:35 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

Surely there is a buffer before writing the packet with a time delay to be able to sort.

It would be possible to have a program that captures packets buffer up a set of packets and write out batches of packets, sorting the packets in that batch by the time stamp delivered by the capture mechanism.

However, the libpcap library (used by tcpdump, Wireshark's capture program dumpcap, and some other programs) does not sort packets in a batch by time stamp before delivering them to programs that use it, and neither tcpdump nor dumpcap don't sort packets in a batch by time stamp by writing them. (The OS capture mechanisms that deliver packets to libpcap on various platforms don't sort packets, either.)

Therefore, Chris Maynard's suggestion that you use reordercap is probably the best way to handle this problem.

Guy Harris's avatar
19.9k
Guy Harris
answered 2023-05-04 19:44:46 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thank you very much for the quick response!!!! The reordercap command is working correctly. It was not the solution I was expecting but I understand your explanation. Thank you very much

Coronitabob's avatar Coronitabob (2023-05-05 07:17:49 +0000) edit
more
  • delete

Thank Chris first - he responded first and indicated what to do, I just noted that sorting by time sta ispmn't done in most capture paths, so you'd need to use reordercap.

Guy Harris's avatar Guy Harris (2023-05-05 09:58:57 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer