how can I compare 2 capture files to expose the difference in packets?

asked 2019-11-14 18:19:33 +0000

PaulPointer gravatar image

updated 2019-11-14 18:25:36 +0000

I have 2 Wireshark pcap files I would like to compare for differences. I have a MacBook Pro which after upgrading to Catalina release can no longer login to my D-Link NAS where as I have a MacBook Air using a previous release that can login into my NAS. I would like to see what the differences are in the 2 trace files of the login (failure and successful) to be able to forward to Apple for a fix. I am using aMacBook Pro with Wireshark installed. Thanks in advance for any assistance.

edit retag flag offensive close merge delete

Comments Have you looked at WireEdit ?

Chuckc gravatar imageChuckc ( 2019-11-14 18:46:21 +0000 )edit

I have looked at the feature set but don't see the compare feature and I don't need to edit the packets.

PaulPointer gravatar imagePaulPointer ( 2019-11-14 20:36:12 +0000 )edit

How are you with cut, sed and awk? Run them through tshark, munge as needed then compare both sets of results with "diff -b".

Chuckc gravatar imageChuckc ( 2019-11-14 20:54:34 +0000 )edit

Just looked up the commands you mention and I can say I'm a "novelist" in using these commands to manipulate files. Can you refer me to a more detailed set of instructions on how to do this? Thanks

PaulPointer gravatar imagePaulPointer ( 2019-11-14 21:02:05 +0000 )edit
$ tshark -r ./190719_BSD_Ftp.pcapng -T fields -e _ws.col.Info | head -10
    Standard query 0x5020 A wpad
    Standard query 0x5020 A wpad
    Name query NB WPAD<00>
    Name query NB WPAD<00>
    Who has Tell
    60444 → 8009 [SYN] Seq=0 Win=17520 Len=0 MSS=1460 WS=256 SACK_PERM=1
    NOTIFY * HTTP/1.1
    NOTIFY * HTTP/1.1
    NOTIFY * HTTP/1.1
    NOTIFY * HTTP/1.1
    tshark: An error occurred while printing packets: Broken pipe.

You might start with just the Info column. The gotcha will be the ports and seq/ack numbers being different for each capture. SF19EU 07 - Solving (SharkFest) packet challenges using tshark alone (Sake Blok)

Chuckc gravatar imageChuckc ( 2019-11-14 21:17:50 +0000 )edit