Wireshark-dev: Re: [Wireshark-dev] Diff feature of Wireshark ( or tcapdiff )
From: "Kenichi Okuyama" <[email protected]>
Date: Fri, 16 Nov 2007 13:36:05 +0900
Dear Steve,

> >   Usually, src1 and src2 comes from different source, and hence each
> >   packet owns different timestamp. Sometimes we need to ignore those
> >   time stamps. But when we output "common" part, user might need those
> >   timestamp again. Hence, we need two file to output "common" part of
> >   capture file.
> Is it necessary to have two "common" output files?  Couldn't the
> timestamps be recovered from the original files if needed?

Let's assume that we do not output "common_src2".

       % tcapdiff src2 common_src1 .....
will give you "common_src2" as output of "common" file.

But this will require nearly twice the time to create common_src1 and
On other hand, I wonder if it is very difficult to create common_src2..
# Both technically and from resource point of view..
# Recent tcpdump file can grow up to 1Gbyte in around 5min... which is
# really tough for 32bit OS to handle.

> > - We need "ignoring the sequence" option.
> Ok.  Can I assume you would want to be able to compare / ignore any of
> the fields that Wireshark / Tshark supports?  I'm not sure how
> complicated the programming would be without looking into it further.

Being honest, I usually first filter the cap file so it only contains
the packet type I needed, ouput them in text mode, then compare them.
So for myself, currently I only need feature to ignore "capture time"
and "sequence".

For others ... I don't know. "Is there any needs??" is question for me too.

Also, for complicated cases, it might be better to write libraries to
create libraries for perl,ruby, python, and other interpreter with
diff feature so that we can write "comparison" function using
interpreter feature..

The one of the reason why I asked for the project, is that there might
already be an answer to those questions as well ;-p

Thank you again, Steve, for your points. It really help me clarifying
what I really need.

best regards,
Kenichi Okuyama
URL: http://www.dd.iij4u.or.jp/~okuyamak/