Occasionally I need to analyse Wireshark traces where the packets are not ordered by timestamp. The following screenshot shows out of order packets that were found in a trace file that was generated by Wireshark dumpcap capturing via two network interfaces; a typical configuration when using a network TAP.
In the screenshot, notice how the timestamp of the fourth packet is earlier than that of the second packet, causing the negative delta value.
Clicking on the Time column label will certainly reorder the packets into time sequence but, unfortunately, the Delta value will still be incorrect and the issue can cause problems with tools such as Wireshark TRANSUM. Above all, it just adds to the complexity of the trace analysis and so what we really need is a way to reorder the packets.
Fortunately, there is a handy Wireshark tool called Reordercap that can re-sequence the packets in timestamp order.
In this short video ...
... we'll look at how we can add the tool to the Workbench Toolbox to give us two-click reordering of any network trace file.
You can still download a free copy of Workbench from the Downloads section of the TribeLab Community website - https://community.tribelab.com
Paul is currently leading the TribeLab project to explore new ways to help IT support people troubleshoot performance and stability problems.