how make a diff between two pcap files ?
I have two pcap files and I want to make the difference between them. And store the difference in another pcap file. I tried diff command but it's not suitable with the binary files and I used also the pcap_diff tool but the result is inconsistent I mean pcap1 size - pcap2 size # diff pcap size Any help please
I'm not sure if there are any tools do do what you want, but what do you mean by the difference? Unless both captures were taken on the same capturing host at the same time, it's likely that the timestamps will be different, meaning every packet record is different.
So, you'll have to define what you mean by the difference between the files?
Both files are captured in the same time but in two different machine. One machine makes port mirorring traffic and the second the machine traffic.
The records will be timestamped locally, and thus the timestamps are likely to be different, making every record appear to be different.
A further complication is that an on-machine capture may not be the same as from a tap or port mirror because, at the capturing point in the network stack, checksums and fragmentation may not have been done yet as they are handled by the NIC driver\firmware\hardware.
I agree with @grahamb - both pcaps will be too different to do anything like that. Most likely the local capture will have different time stamps, frame sizes, and checksums. I don't think there's any realistic way of creating a difference pcap file.
Can I ask why you are trying to do that, anyway? What is the goal or result you need?
Are you trying to determine which packets a port mirror drops?
https://wiki.wireshark.org/CaptureSet...