Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] Reordering capture files

From: Martin Mathieson <martin.r.mathieson@xxxxxxxxxxxxxx>
Date: Mon, 17 Sep 2012 09:21:30 -0400
Hi,

I work with log files that are created from multiple sources, and although the timestamps are in good synchronisation, they are often written to the log file slightly out of order (up to a few milliseconds).

editcap -S supports rewriting the timestamps to be in strict chronological order (assuming the frame order will be correct), but this is the opposite of what I need.

So, I'm considering adding a new flag to editcap, or maybe creating a separate console program using wiretap (I haven't thought through how difficult it might be to support other options at the same time).  It would work something like this:
- specify a number N (say 200), that would serve as the number of frames in the ordering buffer
- when a new frame is read from the input file, insert it into its correct time order within the (up-to) N frames in the buffer.  Hopefully not a linear search :)
- write the earliest frame to the output file
- when we reach the end of the input file, just flush the sorted buffer to the output file

Not sure if I'd keep the buffered frames in memory, or go back and reread them when it was time to write them out.


Am I missing an existing way to get this functionality?  Am I the only person who needs this functionality?

Thanks,
Martin