This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Two capture comparison | Data corruption issue

0

Hello,

I have an issue in the network. Files are getting sometimes corrupted while being copied using SMB over WAN link. I did a packet capture on both ends and now need a tool to compare packets/segments payload/body/data to find which exact packet is being corrupted/changed.

Is there any tool which will allow to compare the payloads of sent and received packets? Checking checksums on the receiver is not welcomed because I think the packets are being corrupted in the network and their checksums are being calculated after that. Thanks.

Handshake.

asked 13 Oct '16, 12:26

handshake's gravatar image

handshake
6112
accept rate: 0%


One Answer:

0

I'm sure better tools exist, but you may use tshark with an appropriate filter to dump just the tcp.seq and tcp.checksum of the necessary direction of the SMB session in question from both captures to text files and then use diff to compare the text files. The TCP checksum of the corrupt packet as it has arrived to the destination will probably be correct but it will be different from the one at the source.

tshark -r <file_name> -Y "tcp.stream == n and ip.dst == m.m.m.m" -T fields -e tcp.seq -e tcp.checksum

This assumes that no packets have been lost and retransmitted, though. If they have, you would have to use sort -u before running the diff.

answered 13 Oct '16, 12:45

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%