I am looking for a way to do a "stare and compare" packet analysis. I have a situation with a SIP carrier who is sending an INVITE for a number that works and others that do not. They seem identical in format and such but I noticed that they were slightly different sizes (1109 for the one that worked and 1112 for the ones that don't work). Where they differ, however, is the problem. Is there a utility tool that is set up for this?
asked 11 Feb '13, 15:11
When I have to do something like this I try to avoid doing "spot the difference" compares by viewing the traces side by side. I'd rather save the two frames in question into a separate trace (so that they're right next to each other) - this is easy to do by marking the two frames in question and then using "File -> Export Specified Packets" and selecting "marked packets" in the selection box.
Then, you can just load this very short trace file and use cursor up/down to go back and forth between the two frames. By looking at the hex view you can see what bytes change right away, and after that check the decode for what they stand for.
If saving is too complicated you could also use the "Go back/forward in Packet History" buttons in the toolbar after having clicked on both packets in question, but if the distance is greater than a few frames it can be confusing.
As Hansang and I always say: the human eye is good in spotting changes more than staring at immobile text :-)
answered 11 Feb '13, 15:55
edited 11 Feb '13, 16:02
Don't you see a difference if you look at the payload in HEX (possibly export the HEX output and let WinDiff find the difference).
Here is how I would do it.
Comapre the files with WinDiff or WinMerge. Ignore the first 40 bytes IP/TCP header (+/- 1 or 2 bytes depending on the header fields).
Now you should see a difference. If there is none, can you upload those two packets (or the HEX output) somewhere (google docs, one click file hoster, pastebin.com., etc. BEWARE the privacy issues in doing so!!).
answered 12 Feb '13, 04:54
Kurt Knochner ♦
Save packets into their parsed textual representation:
File->Export packet dissections->(select format),in the save dialog specify the packets and "packet details" to include.
Then do a diff over the textual results
answered 19 Mar '15, 11:45
edited 19 Mar '15, 11:46