Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] wireshark capture shows packets not chronologically captured

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 17 Dec 2010 10:57:50 -0800
On Dec 17, 2010, at 8:03 AM, Romel Khan wrote:

> I did a capture and notice that packets are not chronologically sorted.

That sounds like a bug in your OS.  If packets aren't delivered by the OS to the capture mechanism in strict time order, that's an OS bug.  (Yes, that means that if different packets are, as they arrive, processed on different cores, the mechanism should still sort them.  If that imposes a performance penalty, and if some programs that directly use the capture mechanism don't care, then there should be an option to request whether you want strict time ordering or not - and libpcap/WinPcap should request it!)

What version of what OS are you running on?  If Linux, what version of what kernel; if Windows, also indicate what version of WinPcap you have.

> Eg packet 64 if it were in chronological order would actually have been packet 5. I can sort by clicking Time column field. But how can I same it (to a different filename) so if I open that new filename, it will indeed show packet 64 properly as packet 5 (ie all packets properly chronologically adjusted) ? 

There's no mechanism in Wireshark to do that.