perl's Net::Pcap and NetPacket can turn out much more useful for that purpose,
supposing the Firewall does not modify the packets (which it might do).
the attached script reads the packets, crops the ethernet header and
writes an hexdump one packet per line.
After that, you feed diff with both output files.
It's not realy a detailed application but I've used it for routers in the past.
Luis
On Wed, 29 Dec 2004 07:54:25 -0700, Earl Eiland <eee@xxxxxxx> wrote:
> I have to compare two files, one being packets going onto a firewall,
> and one packets leaving the firewall. I then need to create a new file
> of packets dropped by said firewall.
>
> I presume this ability is not built into Ethereal. Where can I find
> information on Ethereal's file structure, so I can build a parser?
>
> Earl Eiland
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>
#!/usr/bin/perl
use strict;
use Net::Pcap;
use NetPacket::Ethernet;
my $in_file = shift;
my ($err, $pcap_in, $pcap_out, $pcap_t, $pkt, $i);
my %hdr;
$pcap_in = Net::Pcap::open_offline($in_file, \$err);
while (1) {
$pkt = Net::Pcap::next($pcap_in, \%hdr);
last unless defined $pkt;
my $eth = NetPacket::Ethernet->decode($pkt);
print bin2hex(${$eth}{data}) . "\n";
}
Net::Pcap::close($pcap_in);
exit;
sub bin2hex {
my $b = '';
for my $a (@_) {
for my $c (split //ms, $a) {
$b .= sprintf ("%.2X:",unpack 'C', $c);
}
}
$b =~ s/:$//;
return $b;
}
__END__