This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Ideally I want to be able to use something like the compare feature but with the ability to be more specific.

A good example would be to take two responses to an identical request and get the differences in the responses highlighted with the ability to filter out differences I don't care about.

asked 28 Jul '11, 11:59

Brandon's gravatar image

Brandon
1111
accept rate: 0%

So what exactly is your question? This is after all a question and answer site.

(29 Jul '11, 17:55) cmaynard ♦♦

I would like to do a simmilar thing to work out the issues that we are experiencing accessing a web aplication through a VPN and IPS's network. Looking for a quick way of running a capture at source (from a monitor port on a local switch) and comparing to a capture from the host.

Looking to identify any mutation of the header, packet loss or truncation. At the same time filter packets from other sessions. The clients are not behind a particular gw, full s2s so I'm hoping the compare filtering wouldnt be too dissimilar to wireshark.

Will have a look and see what tools there are

(15 Jul '12, 04:32) xeode

I would like to do a simmilar thing to work out the issues that we are experiencing accessing a web aplication through a VPN and IPS's network

I would use tcpflow (part of major linux distros) for this. Feed it a capture file and it will output all tcp streams, each in a file, named like this:

x.x.x.x.sport-y.y.y.y.dport

These files will contain the payload data. In the case of a web request, it will be the requests and responses. Then just compare those files (diff) at the client side with those at the server side to find any differences.

If there is NAT in place, it might be a bit extra work to identify identical/related sessions. Start with the source port. If your lucky, the NAT device does not change that. Otherwise the order of the TCP "streams" is a good criteria as well (file creation time). If that does not work either (it should), you need a script that reads all files, and creates a hash over all request URLs in each file. Files with the same request hash "might" be related, if the stream index (only visible by the file creation time).

Together with the other criteria I mentioned, you should be able to automate the comparison process.

HINT: If you use HTTPS, things will get a bit tricky, as tcpflow is not able to decrypt traffic. Please report back, if you need a solution for that.

Regards
Kurt

permanent link

answered 15 Jul '12, 06:51

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×6
×5

question asked: 28 Jul '11, 11:59

question was seen: 4,852 times

last updated: 15 Jul '12, 06:51

p​o​w​e​r​e​d by O​S​Q​A