Is there a possibility to insert an empty line in the "packet list pane" of Wireshark on some particular spot?
It should be as in the picture below - lines 8 and 10 look like "inserted". Wenn an empty line is marked, the packet details pane and the packet bytes pane shouls be empty too.
I think about two possibilities:
Is something like this possible?
I don't think it is possible, because Wireshark is a tool to dissect and analyze what is there, and not an editor.
Out of curiosity - why would you need a feature like that? I can't think of any reason why someone would want to add empty lines at all...
answered 15 May '12, 02:21
You cannot insert an empty line, but you can ignore a certain packet, which looks almost like an empty line.
You can combine this with previously injected/inserted packets in the pcap file (e.g. ICMP packets with a certain length, to identify them).
Unfortunately, I don't know any tool that is able to insert packets into a pcap file at a certain position.
EDIT: I just remembered Network Expect. You can 'possibly' do it with Network Expect, however it requires quite some scripting know-how.
If you just want a marker in your capture file please use that function (CTRL-M).
Otherwise, please tell us more, as @Jasper already mentioned.
To answer your question regarding pcap diff
If you "just" want a PCAP diff, there are tools available for that (e.g. pcapdiff). These tools will not show the differences in a graphical way, as they are mostly console tools.
Apparently, the later one is no longer accessible, however it's in several linux repositories (e.g. Fedora -
Of course, you can also use the built-in compare option
It is also possible to compare the text form of the captures. HOWEVER this will only work, if there are NO major changes in the cpature files, like NAT, packet reordering, etc !!
Export the cpature files with tshark into text form and diff the output with WinMerge.
Diff both files with WinMerge:
answered 15 May '12, 06:14
Kurt Knochner ♦