ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-dev: [Wireshark-dev] Diff feature of Wireshark ( or tcapdiff )

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Kenichi Okuyama" <kenichi.okuyama@xxxxxxxxx>
Date: Fri, 16 Nov 2007 10:57:33 +0900
Dear list,

I'm currently looking for "diff" tool for tcpdump/wireshark capture files.
I found similar topic in "Wishlist" section of wiki page (GUI:48.).
But there seems to be some difference between what is written and what
I imagine.

Is there any project already started about this? I'd be very happy to join.


BTW. This is what I imagine as diff tool:

- It should be tcapdiff or tdiffcap or .. in any case, it should be
command line base,
  not GUI ( or at least, we need command line base ).
  Let me call this program "tcapdiff" for now.

- basically tcapdiff takes *6* filenames.
  tcapdiff src1 src2 common_src1 common_src2 only_src1 only_src2

  "src1" and "src2" is two cap files that we use as input. tcapdiff will try to
  look for difference between these two files.

  Usually, src1 and src2 comes from different source, and hence each packet
  owns different timestamp. Sometimes we need to ignore those time stamps.
  But when we output "common" part, user might need those timestamp again.
  Hence, we need two file to output "common" part of capture file.

  And for packets exist only in src1, shall go to "only_src1", and
  those which exist only in src2 shall go to "only_src2".

- (Though I'm not really coming up with good image yet)
  We need lots of options for which part of packet to compare, and which part of
  packet to ignore when we compare packets.

  ignoring timestamp is one of the idea.

- We need "ignoring the sequence" option.

  Think about network connected with firewall. Cap1 is capture being held from
  NIC which is connected to The Internet, and Cap2 is capture being held from
  NIC which is connected to intranet.

  Let's assume that "almost" exactly the same time, two packet have arraived to
  this firewall. Packet A came from The Internet, and heading for
intranet. Packet B
  came from intranet and heading for The Internet.

  Cap1 will have Packet A and B in following sequence:
        Packet A
        Packet B
  But Cap2 might have Packet A and B in following:
        Packet B
        Packet A

  If we care about sequence, diff output will have something like:
       > Packet A
       < Packet A
  which is usually not what we want. Easiest way to ignore such a case is to
  ignore "sequence".
# And to be honest, this is what I really want to have.
# diff feature that CAN ignore sequence of the packet.

Hope to be of any help to this project, for it already have helped me a lot :)

best regards,
-- 
Kenichi Okuyama
URL: http://www.dd.iij4u.or.jp/~okuyamak/
     http://developer.osdl.jp/projects/doubt/
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube