Dear Jim/Vern,

Sorry for the delayed answer.  I found that ipsumdump has problems with some specific files no matter the number of pcap files, but, of course using a large amount of input files increase the possibilities of having problems ( unfortunately I cannot figure out the reason). I tried to use tcpslice instead, but my server crash twice apparently due to tcpslice trying to merge 300 files.
I couldn't test it again to avoid problems.
Any help is welcome, but it doesn't seem timestamp order is the problem for my case. 
My goal is to provide BRO with enough input data for recognizing complete connections, detect protocols and avoid any weird activity due cause by split connections among several pcap files.

Thank you,

Veronica Estrada
Nakao Laboratory - Network Systems Research Group
University of Tokyo



I used to use ipsumdump to stitch together multiple pcap files into one, but
have found on occasion that it doesn't always output in timestamp sorted order.
 Don't have a testcase right now, but IIRC, it occurred if using a large number
of files.

Consequently, I wrote a little utility 'tcpsort', which although it has its
deficiencies (in memory sort of timestamps which restricts total size of input
files, and two passes thru the input files)  works for the purpose of stitching
multiple pcap files together in timestamp sorted order.  I can post if if
there's interest.



--
Jim Mellander
Lawrence Berkeley National Laboratory
(510) 486-7204

The reason you are having computer problems is:

knot in cables caused data stream to become twisted and kinked