LMTV LIVE | Application-Centric Infrastructure Monitoring and Analytics (Uila, Inc.)
Challenger Branding - Set A Goal to Set Goals (by John Gumas)

Reordering Network Packets with Wireshark and Workbench (by Paul Offord)

Occasionally I need to analyse Wireshark traces where the packets are not ordered by timestamp.  The following screenshot shows out of order packets that were found in a trace file that was generated by Wireshark dumpcap capturing via two network interfaces; a typical configuration when using a network TAP.

Neg_delta

In the screenshot, notice how the timestamp of the fourth packet is earlier than that of the second packet, causing the negative delta value.

Clicking on the Time column label will certainly reorder the packets into time sequence but, unfortunately, the Delta value will still be incorrect and  the issue can cause problems with tools such as Wireshark TRANSUM.  Above all, it just adds to the complexity of the trace analysis and so what we really need is a way to reorder the packets.

Fortunately, there is a handy Wireshark tool called Reordercap that can re-sequence the packets in timestamp order.

In this short video ...

... we'll look at how we can add the tool to the Workbench Toolbox to give us two-click reordering of any network trace file.

 

 

[MP4 version here in case YouTube is blocked]

You can still download a free copy of Workbench from the Downloads section of the TribeLab Community website - https://community.tribelab.com

Best regards...Paul

 

Picture of Paul OffordAuthor Profile - Paul Offord has had a 39-year career in the IT industry that includes roles in hardware engineering, software engineering and network management. Prior to founding Advance7, he worked for IBM, National Semiconductor and Hitachi Data Systems.

Paul is currently leading the TribeLab project to explore new ways to help IT support people troubleshoot performance and stability problems.

Comments