On Wed, Feb 6, 2013 at 4:08 AM, <ri...@happyleptic.org> wrote: > Many people suggested reordercap from wireshark 1.9. > Thank you, I was not aware of this tool. > > But looking at the code, it seams that this program loads the whole pcap > before > sorting it - this is not practical when the pcap is huge, as is often the case > for me. > > So I wrote a small tool but unfortunately it will be very unpractical for > anyone else to use since it uses a badly packaged, unpolished library of mine > written in an alien technology[1]. It should be rewriten in C for max > usability. The idea is merely to do one single pass with a small buffer of N > packets that you can reorder, and check wether the buffer was enough to sort > completely the pcap (so that you can ask for another pass). There probably are > more intelligent ways to sort a stream inline, but this was enough for my need > (I record in a single pcap from several threads with a huge mmap buffer so the > packets are somewhat intermixed but not completely random). > > [1]: http://github.com/rixed/robinet/blob/master/examples/pcap_reorder.ml
tcpslice already does time-based interleaving when you give it multiple pcap files. It might be reasonably straightforward to adapt it to have a buffer of N packets (per pcap) to do local reordering too. Bill _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
