How to: re-order packets in a sniffed file
Posted by Dries Decock, Last modified by Tom Ghyselinck on 15 February 2018 12:15 PM

In version <= 1.0 of the XRA-31 system software, packets are stored in a pcap file the moment they are seen on the cable.

Due to processing delays, and due to timing differences between upstream and downstream, this will result in a pcap file where packets are stored out-of-order. The timestamp of the packets isĀ  correct however (based on PLC timestamp).

To re-order the packets, so they appear in-order in the pcap file 2 methods can be used:

Re-ordering in Wireshark

Clicking on the "Time" column in Wireshark will sort the packets based on the timestamp in the packets.

Drawback of this method is that when closing the file, and re-opening it, the packets will again be out-of-order.

Re-ordering with reordercap

reordercap is a tool in the Wireshark suite, designed to reorder pcap files based on timestamp:
Syntax is:

reordercap <inputfile> <outputfile>

Depending on the size of the file, this will take a while.

