I have a PCAP file which contains many packets. They are however out of order based on the timestamp (it is actually randomized). What is the best way to efficiently sort the PCAP packets based on timestamp for later replay?
Currently I am doing this via Scapy and Python as proposed here. This is working, but is really slow. Further, it loads the dump completely in memory, where the timestamps would actually be sufficient. I know sorting is an expensive operation, but this method takes nearly 4 minutes for a 344MB file containing 778589 packets on a modern Core i7.
I also know that Wireshark should include "reordercap", however this tool is not included in current Debian and Ubuntu builds. Before trying to build Wireshark from source, maybe someone has experience with this tool and can suggest how performance will be.
So, to come back to the question: How to efficiently sort packets in PCAP files based on their timestamp? Memory is not the constraint, as the PCAPs will not be larger than 2GB and enough RAM is available, but rather the runtime is important to me. It should complete as fast as possible.
Thank you in advance!
Best Answer
I had the same problem and actually mine was worst because my pcapfile was much bigger than yours so I need a more efficient way to sort its packets. I find libtrace which is developed in C as a good solution. Unfortunately there is not any direct tools to do the task but its tracemerge tool merges two (or more) files and sorts the packet. So you should first split your file with tracesplit and then merge them with tracemerge.