This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Comparison of packet captures

0

Ideally I want to be able to use something like the compare feature but with the ability to be more specific.

A good example would be to take two responses to an identical request and get the differences in the responses highlighted with the ability to filter out differences I don't care about.

asked 28 Jul '11, 11:59

Brandon's gravatar image

Brandon
1111
accept rate: 0%

So what exactly is your question? This is after all a question and answer site.

(29 Jul '11, 17:55) cmaynard ♦♦

I would like to do a simmilar thing to work out the issues that we are experiencing accessing a web aplication through a VPN and IPS's network. Looking for a quick way of running a capture at source (from a monitor port on a local switch) and comparing to a capture from the host.

Looking to identify any mutation of the header, packet loss or truncation. At the same time filter packets from other sessions. The clients are not behind a particular gw, full s2s so I'm hoping the compare filtering wouldnt be too dissimilar to wireshark.

Will have a look and see what tools there are

(15 Jul '12, 04:32) xeode

One Answer:

0

I would like to do a simmilar thing to work out the issues that we are experiencing accessing a web aplication through a VPN and IPS's network

I would use tcpflow (part of major linux distros) for this. Feed it a capture file and it will output all tcp streams, each in a file, named like this:

x.x.x.x.sport-y.y.y.y.dport

These files will contain the payload data. In the case of a web request, it will be the requests and responses. Then just compare those files (diff) at the client side with those at the server side to find any differences.

If there is NAT in place, it might be a bit extra work to identify identical/related sessions. Start with the source port. If your lucky, the NAT device does not change that. Otherwise the order of the TCP "streams" is a good criteria as well (file creation time). If that does not work either (it should), you need a script that reads all files, and creates a hash over all request URLs in each file. Files with the same request hash "might" be related, if the stream index (only visible by the file creation time).

Together with the other criteria I mentioned, you should be able to automate the comparison process.

HINT: If you use HTTPS, things will get a bit tricky, as tcpflow is not able to decrypt traffic. Please report back, if you need a solution for that.

Regards
Kurt

answered 15 Jul '12, 06:51

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%