Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 2589] New: Compare two capture files

Date: Thu, 5 Jun 2008 00:09:10 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2589

           Summary: Compare two capture files
           Product: Wireshark
           Version: SVN
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Enhancement
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: vcondole@xxxxxx



Condoleo <vcondole@xxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1855|                            |review_for_checkin?
               Flag|                            |


Created an attachment (id=1855)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=1855)
compare enhancement (including tshark) and view minor changes to other files

Build Information:
Build Information Linux:
Version 1.0.99 (SVN Rev 25424)

Copyright 1998-2008 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.12.8, with GLib 2.14.6, with libpcap 0.9.7, with libz
1.2.3, with POSIX capabilities (Linux), without libpcre, without SMI, without
ADNS, without Lua, with GnuTLS 1.6.3, with Gcrypt 1.2.4, with MIT Kerberos,
without PortAudio, without AirPcap.
NOTE: this build doesn't support the "matches" operator for Wireshark filter
syntax.

Running on Linux 2.6.24.7-92.fc8PAE, with libpcap version 0.9.7.

Built using gcc 4.1.2 20070925 (Red Hat 4.1.2-33).

--
Windows:
Version 1.0.99-comparetool-010 (SVN Rev 25424)

Copyright 1998-2008 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.12.9, with GLib 2.16.3, with WinPcap (version unknown),
with libz 1.2.3, without POSIX capabilities, with libpcre 7.0, with SMI 0.4.8,
with ADNS, with Lua 5.1, with GnuTLS 2.3.8, with Gcrypt 1.4.1, with MIT
Kerberos, with PortAudio V19-devel (built Jun  4 2008), with AirPcap.

Running on Windows XP Service Pack 2, build 2600, with WinPcap version 4.0.2
(packet.dll version 4.0.0.1040), based on libpcap version 0.9.5, without
AirPcap.

Built using Microsoft Visual C++ 8.0 build 50727

--
The goal is to detect foreign intrusion. The capture files are produced on
both sides of a communication (server/client) and then compared (max. two
files).

The two capture files are checked for missing packets and if a found match got
a
different checksum (only IP header yet) or the delay is to big (variance can be
set in seconds) the packet is considered as faulty. It also checks the order if
both packets have the same predecessor.

The Packets are compared regarding there IP-Id or TTL.
The info column contains new numbering so the same packets are parallel.
The color filtering differentiate the two files from each other. A “zebra”
effect is create if the Info column is sorted.
For the MAC and TTL option we assume, that the files where captured with at
least one router in between so the MAC or TTL is different.
If you click on the packets in the error list, it gets selected in the main
window.

The start and stop numbers will try to find the same range of each file. Start
means count of matched packets in sequence. Stop means no match found in
sequence for n times.
All values which are set to zero, are deactivated.

To start, select statistics->compare... in Wireshark or -z compare,... for
tshark
Compare_stat.c is stored in the gtk folder of the project.
Tap-comparestat.c is stored in the wireshark folder.

We also did some fuzzy testing: 
./editcap -E 1.0 ...
randpkt -c 50000 -t ip ...,
/tools/fuzz-test.sh 
we used different test captures, one is attached.

For the TTL option we changed: epan/dissectors/packet-ip.c
To work on Windows we added in_cksum() to epan/libwireshark.def

We hope this feature is useful to Wireshark.

Regards
Vincenzo Condoleo


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.