Sorry for the delayed answer. I found that ipsumdump has problems with some
specific files no matter the number of pcap files, but, of course using a
large amount of input files increase the possibilities of having problems (
unfortunately I cannot figure out the reason). I tried to use tcpslice
instead, but my server crash twice apparently due to tcpslice trying to
merge 300 files.
I couldn't test it again to avoid problems.
Any help is welcome, but it doesn't seem timestamp order is the problem for
My goal is to provide BRO with enough input data for recognizing complete
connections, detect protocols and avoid any weird activity due cause by
split connections among several pcap files.
Nakao Laboratory - Network Systems Research Group
University of Tokyo
I used to use ipsumdump to stitch together multiple
pcap files into one,
have found on occasion that it doesn't always output in timestamp sorted
Don't have a testcase right now, but IIRC, it occurred if using a large
Consequently, I wrote a little utility 'tcpsort', which although it has its
deficiencies (in memory sort of timestamps which restricts total size of
files, and two passes thru the input files) works for the purpose of
multiple pcap files together in timestamp sorted order. I can post if if
Lawrence Berkeley National Laboratory
The reason you are having computer problems is:
knot in cables caused data stream to become twisted and kinked