Many people suggested reordercap from wireshark 1.9. Thank you, I was not aware of this tool.
But looking at the code, it seams that this program loads the whole pcap before sorting it - this is not practical when the pcap is huge, as is often the case for me. So I wrote a small tool but unfortunately it will be very unpractical for anyone else to use since it uses a badly packaged, unpolished library of mine written in an alien technology[1]. It should be rewriten in C for max usability. The idea is merely to do one single pass with a small buffer of N packets that you can reorder, and check wether the buffer was enough to sort completely the pcap (so that you can ask for another pass). There probably are more intelligent ways to sort a stream inline, but this was enough for my need (I record in a single pcap from several threads with a huge mmap buffer so the packets are somewhat intermixed but not completely random). [1]: http://github.com/rixed/robinet/blob/master/examples/pcap_reorder.ml _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
