Ask Your Question
0

How do I compare 2 PCAP files in Wireshark?

asked 2021-05-11 07:44:28 +0000

jonathandl2 gravatar image

updated 2021-05-11 07:48:10 +0000

I recently gathered 2 packet traces, one from Wireshark running on the client side and one from a firewall in the network path, simultaneously in order that I may compare them to see whether there was any packet loss. Then I Googled for how to compare PCAP files in Wireshark, and the first "hit" is:

https://documentation.help/Wireshark/...

But how do I actually bring up the "Compare" dialog box? Note, the above-linked website appears to be a copy of a prior version of the Wireshark documentation; the most recent version of the manual no longer mentions such a feature. Was the "compare" feature removed from Wireshark? More generally, it would be very helpful if Wireshark can do a side-by-side comparison of 2 PCAPs of the same transaction taken at 2 different places in the network.

edit retag flag offensive close merge delete

3 Answers

Sort by ยป oldest newest most voted
0

answered 2021-05-11 08:24:23 +0000

hugo.vanderkooij gravatar image

Did you do the merge like instructed?

Compare two capture files. This feature works best when you have merged two capture files chronologically, one from each side of a client/server connection. The merged capture data is checked for missing packets.

edit flag offensive delete link more
0

answered 2021-05-11 08:55:24 +0000

grahamb gravatar image

I'm not entirely certain where the 3rd party site you refer to gets its info, likely just a copy of the actual Wireshark documentation, but it's certainly out of date. The perils of not using the actual source of the info.

Either use the help installed with your version of Wireshark which is likely to be mostly in-line with the features in your version, or use the development docs here that may be slightly different from your version.

There is no compare dialog in current versions, it was removed when the UI toolkit changed to Qt, so probably still in 2.6.x if you enable the GTK+ UI on install.

edit flag offensive delete link more
0

answered 2021-05-11 18:24:08 +0000

BigFatCat gravatar image

Need more details what you are trying to accomplish and packet count. The packets may not be the same order. It depends on the protocol, full duplex, and latency. Example is TCP busy session with 16ms latency. If the entire TCP session from start to end, then the packet count will be the same, but not in the same order. An example is server is sending several segments and the client is responding with acknowledgements. The packet capture will show all the packets as they are received at the capture point. Send a response, there are different tricks for each situation.

edit flag offensive delete link more

Comments

Thank you for your reply. I've been trying to troubleshoot a problem why hosts on a particular internal subnet have trouble accessing a particular Internet-facing website that we also own. Browser times out but eventually gets in, long after the browser's timeout expires.

Looking at either capture, I see that the SSL handshake fails to complete. By comparing the two captures, I hope to find out whether this is caused by packet loss between the 2 points where I took the captures. I don't think I care about whether packets are delivered out of order unless that's relevant to identifying the problem. But I also thought that a compare utility is useful in general and was surprised that it was taken out.

jonathandl2 gravatar imagejonathandl2 ( 2021-05-11 18:34:07 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2021-05-11 07:44:28 +0000

Seen: 1,308 times

Last updated: May 11