I am looking for a way to do a "stare and compare" packet analysis. I have a situation with a SIP carrier who is sending an INVITE for a number that works and others that do not. They seem identical in format and such but I noticed that they were slightly different sizes (1109 for the one that worked and 1112 for the ones that don't work). Where they differ, however, is the problem. Is there a utility tool that is set up for this? Thanks Eric asked 11 Feb '13, 15:11 EricKnaus |
3 Answers:
When I have to do something like this I try to avoid doing "spot the difference" compares by viewing the traces side by side. I'd rather save the two frames in question into a separate trace (so that they're right next to each other) - this is easy to do by marking the two frames in question and then using "File -> Export Specified Packets" and selecting "marked packets" in the selection box. Then, you can just load this very short trace file and use cursor up/down to go back and forth between the two frames. By looking at the hex view you can see what bytes change right away, and after that check the decode for what they stand for. If saving is too complicated you could also use the "Go back/forward in Packet History" buttons in the toolbar after having clicked on both packets in question, but if the distance is greater than a few frames it can be confusing. As Hansang and I always say: the human eye is good in spotting changes more than staring at immobile text :-) answered 11 Feb '13, 15:55 Jasper ♦♦ edited 11 Feb '13, 16:02 |
Don't you see a difference if you look at the payload in HEX (possibly export the HEX output and let WinDiff find the difference). Here is how I would do it.
Comapre the files with WinDiff or WinMerge. Ignore the first 40 bytes IP/TCP header (+/- 1 or 2 bytes depending on the header fields). Now you should see a difference. If there is none, can you upload those two packets (or the HEX output) somewhere (google docs, one click file hoster, pastebin.com., etc. BEWARE the privacy issues in doing so!!). Regards answered 12 Feb '13, 04:54 Kurt Knochner ♦ |
Save packets into their parsed textual representation: File->Export packet dissections->(select format),in the save dialog specify the packets and "packet details" to include. Then do a diff over the textual results answered 19 Mar '15, 11:45 native_api edited 19 Mar '15, 11:46 |
Jasper - thanks for your answer and that was where I was headed. The carrier insists they are sending the SIP invites the same way every time. The manufacturer insists that they are not. Neither seem all that willing to slug it out bit-by-bit with me (I'm willing!). So, I was looking for something that was more automated instead of me saying to one or the other "Here it is" versus a program/tool that would highlight an extra white space, character -- anything. They tend to be more receptive to that sort of thing. Tried WinDiff but that was not useful in this case. Thanks
Eric
Sounds like you're trying to find a more automatic solution? If one compare sample is enough, you can do what @kurt suggests - use exporting to get ASCII representations and then diff them. If you need to compare tons of samples things get a lot more complicated...
The 'problem' is: It's not about comparing different pcap files (there are more/or less good ways to do that). It's about comparing packets (actually just the payload) within a single capture file. That's something you usually do not need, except for very special cases. I don't think there is any automatic solution 'out there' that does exactly that.