OSQA is unmaintained. Help us figure out where to go from here.

Is there a possibility to insert an empty line in the "packet list pane" of Wireshark on some particular spot?

It should be as in the picture below - lines 8 and 10 look like "inserted". Wenn an empty line is marked, the packet details pane and the packet bytes pane shouls be empty too.

I think about two possibilities:

  1. The PCAP File should not be changed, only the view of the file, or
  2. insert an "empty Packet" in PCAP File, and than show the changed file in Wireshark

Is something like this possible?

alt text

asked 15 May '12, 02:01

ZvDj's gravatar image

accept rate: 0%

edited 06 Nov '13, 04:38

Kurt%20Knochner's gravatar image

Kurt Knochner ♦

I don't think it is possible, because Wireshark is a tool to dissect and analyze what is there, and not an editor.

Out of curiosity - why would you need a feature like that? I can't think of any reason why someone would want to add empty lines at all...

permanent link

answered 15 May '12, 02:21

Jasper's gravatar image

Jasper ♦♦
accept rate: 18%

You cannot insert an empty line, but you can ignore a certain packet, which looks almost like an empty line.

  1. select a packet
  2. press CTRL-X (or right-click and select "Ignore Packet (toggle)"
  3. to unhide, press CTRL-X again

You can combine this with previously injected/inserted packets in the pcap file (e.g. ICMP packets with a certain length, to identify them).

Unfortunately, I don't know any tool that is able to insert packets into a pcap file at a certain position.

EDIT: I just remembered Network Expect. You can 'possibly' do it with Network Expect, however it requires quite some scripting know-how.

just modifying a pcap file (ip rewrite). Inserting should be possible by calling 'send_network ip' twice at a certain position (counter) in the pcap file. Once for the original IP packet and once again for a newly created (injected/inserted) IP/ICMP packet.


If you just want a marker in your capture file please use that function (CTRL-M).

Otherwise, please tell us more, as @Jasper already mentioned.


permanent link

answered 15 May '12, 02:46

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

edited 15 May '12, 03:24

I thought of that, too, but that would remove a packet from view which I don't think was intended - if you want to have an empty line without losing anything you can't ignore a packet :-)

(15 May '12, 02:52) Jasper ♦♦

that's true and I'm suggesting it only out of thin air, as there was not enough information in the original post ;-)

(15 May '12, 03:02) Kurt Knochner ♦

see latest EDIT above

(15 May '12, 03:20) Kurt Knochner ♦

Thanks for answers.

My intention is to open two instances of wireshark (thanks Kurt) and to compare two PCAP Files. If some Packet in a first file is absent, there should be shown an empty line (in the firstInstance), and at the second file (in the second instance) should be shown the whole packet.

The "packet list pane" is nothing but some kind of ListView Control, and there should be possible to insert un empty line. The question is only, if something like this in Wireshark possible is.

@Kurt: I will try NetExect soon. Thx

Best regards to all Zvonko

(15 May '12, 04:49) ZvDj

I mean NetExpect ;)

(15 May '12, 04:49) ZvDj

> The question is only, if something like this in Wireshark possible is.

Unfortunately no. See answers/comments above.

Regarding "pcap diff", see my answer below.

(15 May '12, 05:24) Kurt Knochner ♦
showing 5 of 6 show 1 more comments

To answer your question regarding pcap diff

If you "just" want a PCAP diff, there are tools available for that (e.g. pcapdiff). These tools will not show the differences in a graphical way, as they are mostly console tools.

tpcat (Windows)

PcapDiff (Perl)


pcapdiff (python)

Apparently, the later one is no longer accessible, however it's in several linux repositories (e.g. Fedora - yum install pcapdiff).

Of course, you can also use the built-in compare option

It is also possible to compare the text form of the captures. HOWEVER this will only work, if there are NO major changes in the cpature files, like NAT, packet reordering, etc !!

Export the cpature files with tshark into text form and diff the output with WinMerge.

tshark -r cap1.cap > cap1.txt
tshark -r cap2.cap > cap2.txt

Diff both files with WinMerge:



permanent link

answered 15 May '12, 06:14

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

It would be nice, when "just PCAP diff" were :)

There should be Compare options, compare filter, and of course, it should funct fast and also with very long files.

(15 May '12, 08:53) ZvDj

feel free to implement all that in wireshark :-) You will gain a lot of friends ;-) In the meantime you have all the options described above.

(15 May '12, 09:11) Kurt Knochner ♦

Pretty sure scapy can do this, but the easiest one will be ColaSoft PacketBuilder

Original capture alt text

After importing it to PacketBuilder and inserting 2 entries ( see new frames 4 and 7)

alt text

you can then edit the values of the fields you inserted

out of curiosity, why would you want to do this? I use colasoft sometimes for a way to create asynchronous environments

hope this helps


permanent link

answered 29 Feb '16, 06:29

ppcap's gravatar image

accept rate: 50%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 15 May '12, 02:01

question was seen: 14,545 times

last updated: 29 Feb '16, 06:29

p​o​w​e​r​e​d by O​S​Q​A