tcpdump mailing list archives
Re: tool to reorder packets of a pcap?
From: Bill Fenner <fenner () gmail com>
Date: Thu, 21 Feb 2013 11:04:36 -0500
On Wed, Feb 6, 2013 at 4:08 AM, <rixed () happyleptic org> wrote:
Many people suggested reordercap from wireshark 1.9. Thank you, I was not aware of this tool. But looking at the code, it seams that this program loads the whole pcap before sorting it - this is not practical when the pcap is huge, as is often the case for me. So I wrote a small tool but unfortunately it will be very unpractical for anyone else to use since it uses a badly packaged, unpolished library of mine written in an alien technology[1]. It should be rewriten in C for max usability. The idea is merely to do one single pass with a small buffer of N packets that you can reorder, and check wether the buffer was enough to sort completely the pcap (so that you can ask for another pass). There probably are more intelligent ways to sort a stream inline, but this was enough for my need (I record in a single pcap from several threads with a huge mmap buffer so the packets are somewhat intermixed but not completely random). [1]: http://github.com/rixed/robinet/blob/master/examples/pcap_reorder.ml
tcpslice already does time-based interleaving when you give it multiple pcap files. It might be reasonably straightforward to adapt it to have a buffer of N packets (per pcap) to do local reordering too. Bill _______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- tool to reorder packets of a pcap? rixed (Feb 05)
- Re: tool to reorder packets of a pcap? Guy Harris (Feb 05)
- Re: tool to reorder packets of a pcap? rixed (Feb 20)
- Re: tool to reorder packets of a pcap? Bill Fenner (Feb 21)
- Re: tool to reorder packets of a pcap? Aaron Turner (Feb 20)