Is there a possibility to insert an empty line in the "packet list pane" of Wireshark on some particular spot?

It should be as in the picture below - lines 8 and 10 look like "inserted". Wenn an empty line is marked, the packet details pane and the packet bytes pane shouls be empty too.

I think about two possibilities:

  1. The PCAP File should not be changed, only the view of the file, or
  2. insert an "empty Packet" in PCAP File, and than show the changed file in Wireshark

Is something like this possible?

alt text

asked 15 May '12, 02:01

ZvDj's gravatar image

ZvDj
1333
accept rate: 0%

edited 06 Nov '13, 04:38

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
18.9k733181


I don't think it is possible, because Wireshark is a tool to dissect and analyze what is there, and not an editor.

Out of curiosity - why would you need a feature like that? I can't think of any reason why someone would want to add empty lines at all...

link

answered 15 May '12, 02:21

Jasper's gravatar image

Jasper ♦
16.1k338212
accept rate: 17%

You cannot insert an empty line, but you can ignore a certain packet, which looks almost like an empty line.

  1. select a packet
  2. press CTRL-X (or right-click and select "Ignore Packet (toggle)"
  3. to unhide, press CTRL-X again

You can combine this with previously injected/inserted packets in the pcap file (e.g. ICMP packets with a certain length, to identify them).

Unfortunately, I don't know any tool that is able to insert packets into a pcap file at a certain position.

EDIT: I just remembered Network Expect. You can 'possibly' do it with Network Expect, however it requires quite some scripting know-how.

Sample
just modifying a pcap file (ip rewrite). Inserting should be possible by calling 'send_network ip' twice at a certain position (counter) in the pcap file. Once for the original IP packet and once again for a newly created (injected/inserted) IP/ICMP packet.

http://netexpect.org/wiki/RewriteAndReplay

If you just want a marker in your capture file please use that function (CTRL-M).

Otherwise, please tell us more, as @Jasper already mentioned.

Regards
Kurt

link

answered 15 May '12, 02:46

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
18.9k733181
accept rate: 15%

edited 15 May '12, 03:24

I thought of that, too, but that would remove a packet from view which I don't think was intended - if you want to have an empty line without losing anything you can't ignore a packet :-)

(15 May '12, 02:52) Jasper ♦

that's true and I'm suggesting it only out of thin air, as there was not enough information in the original post ;-)

(15 May '12, 03:02) Kurt Knochner ♦

see latest EDIT above

(15 May '12, 03:20) Kurt Knochner ♦

Thanks for answers.

My intention is to open two instances of wireshark (thanks Kurt) and to compare two PCAP Files. If some Packet in a first file is absent, there should be shown an empty line (in the firstInstance), and at the second file (in the second instance) should be shown the whole packet.

The "packet list pane" is nothing but some kind of ListView Control, and there should be possible to insert un empty line. The question is only, if something like this in Wireshark possible is.

@Kurt: I will try NetExect soon. Thx

Best regards to all Zvonko

(15 May '12, 04:49) ZvDj

I mean NetExpect ;)

(15 May '12, 04:49) ZvDj

> The question is only, if something like this in Wireshark possible is.

Unfortunately no. See answers/comments above.

Regarding "pcap diff", see my answer below.

(15 May '12, 05:24) Kurt Knochner ♦
showing 5 of 6 show 1 more comments

To answer your question regarding pcap diff

If you "just" want a PCAP diff, there are tools available for that (e.g. pcapdiff). These tools will not show the differences in a graphical way, as they are mostly console tools.

tpcat (Windows)
http://sourceforge.net/projects/tpcat/

PcapDiff (Perl)
http://sourceforge.net/projects/pcapdiff/

tracediff
http://www.wand.net.nz/trac/libtrace/wiki/TraceDiff

pcapdiff (python)
http://www.eff.org/testyourisp/pcapdiff/

Apparently, the later one is no longer accessible, however it's in several linux repositories (e.g. Fedora - yum install pcapdiff).

Of course, you can also use the built-in compare option
http://www.wireshark.org/docs/wsug_html_chunked/ChStatCompareCaptureFiles.html

It is also possible to compare the text form of the captures. HOWEVER this will only work, if there are NO major changes in the cpature files, like NAT, packet reordering, etc !!

Export the cpature files with tshark into text form and diff the output with WinMerge.

tshark -r cap1.cap > cap1.txt
tshark -r cap2.cap > cap2.txt

Diff both files with WinMerge:

http://justpaste.it/zky

Regards
Kurt

link

answered 15 May '12, 06:14

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
18.9k733181
accept rate: 15%

It would be nice, when "just PCAP diff" were :)

There should be Compare options, compare filter, and of course, it should funct fast and also with very long files.

(15 May '12, 08:53) ZvDj

feel free to implement all that in wireshark :-) You will gain a lot of friends ;-) In the meantime you have all the options described above.

(15 May '12, 09:11) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×7
×6
×2
×1

Asked: 15 May '12, 02:01

Seen: 2,565 times

Last updated: 06 Nov '13, 04:38

powered by OSQA