This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Compare and merge capture files

0

I'm looking for a method or tool to compare and merge capture-files. I already googled a lot and found tools like pcapdiff and the buildin ws-compare-function, but none fits my needs.

I want to do the same action (maybe sending an email) three times and everytime capture the internet-traffic. Afterwards I want to compare all three capture-files and filter out the packets which are captured everytime (cut off unique packets or packet-pattern), so i could cut out the traffic which has nothing to do with sending the email.

Is there any know tool which compares different pcap files and filter out packets which not fits the overall pattern of packets according to IP-Adresse and size ? It is not possible to compare those files by reference to time-stamps or payload. (payload encrypted)

I would be very happy if anyone knows this problem and got a solution.

Kind regards,

Alex

asked 29 May '15, 10:27

z4ck's gravatar image

z4ck
6112
accept rate: 0%

I would be very happy if anyone knows this problem and got a solution.

well, you did not describe your problem, so it's hard to suggest a solution. What 'similarities' are you trying to find in 3 totally different ( TCP streams (because the payload is encrypted)?

(30 May '15, 08:06) Kurt Knochner ♦

One Answer:

0

Most tools I have seen only compare capture files that have been captured at multiple locations at the same time (meaning, with at least some truly identical packets). I'm not even sure your approach of comparing different captures taken at different times is going to work - even things as simple as sending a mail may not be the same in each capture, e.g. when the MX record for the destination mailserver is doing some kind of round robin. In that case you'll get different destination IPs every time and can't compare anything.

Other than that I guess you're down to manual work - I don't think there is any tool that can do what you want. Maybe you can use the conversation statistics of Wireshark, export the table for each file you have (sorted the same way, of course), and then use a text diff tool to find out which lines are different.

answered 29 May '15, 10:57

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Hi Jasper,

thanks for your fast answer.

Atm I guess I have to filter packets manually as you said. May I try export to txt and cut with awk or sed. Maybe afterwards I get a result to work with.

I don't really thought about the MX records and my other routing-changes.

May I could try to compare pcap-entries by reference to packet-size and progress.

In the end the merge-process is not the main thing, but it could be helpful to cut off some surrounding traffic.

Thanks

(29 May '15, 11:36) z4ck