Hello All, I have a question as I have started working on Wireshark recently. I have two capture files and under both the Pcaps, there are so many VoIP calls but I am only interested in one VoIP (SIP) call which is actually somewhat similar in both the captures. The flow of that call includes multiple legs as the call is going through an SBC and also it includes multiple re-invites. So basically the call flow of that call is really big and call flow is same in both Pcaps. There can be some differences in the Headers of SIP Invite message or any other followed message. So the question is that is it possible to compare these two calls, which exist in different Pcaps, and identify the differences in Headers (or the Values under Headers or any other type of differences) of the messages of those calls. Please let me know how to achieve the same. Thanks in advance!!! Regards, Ayush asked 04 Jul '13, 10:35  Ayush J |
One Answer:
The first thing to do would be to cleanly define the call and filter out all the other VoIP calls you mention. If you can write out a display filter that cleanly matches only the traffic you want, or mark them all, you can export only that one call into its own .pcap file to isolate it (do the same for both packet captures, so you have only that one call in both new .pcap files). Once you have the two calls lined up, you should be able to do an eye-ball comparison but if you want something that will look at each packet and say what header is different in what way automatically, the only things that come to mind are the protocol hierarchy view in Wireshark (Statistics > Protocol Hierarachy) which will at least give you a protocol comparison, and the Summary view (Statistics > Summary) which will give you a break down of byte counts and packet counts. Beyond that, you can eye-ball the traces packet for packet since they're the same call as you say. You could do a quick scan on the Length field, or set TCP length as a column and compare those as well to see if there are any payload differences at those levels. answered 06 Jul '13, 16:45  Quadratic |
