Wireshark-dev: Re: [Wireshark-dev] Diff feature of Wireshark ( or tcapdiff )

From: Stephen Fisher <stephentfisher@xxxxxxxxx>
Date: Thu, 15 Nov 2007 19:29:21 -0700
On Fri, Nov 16, 2007 at 10:57:33AM +0900, Kenichi Okuyama wrote:

> I'm currently looking for "diff" tool for tcpdump/wireshark capture
> files. I found similar topic in "Wishlist" section of wiki page
> (GUI:48.). But there seems to be some difference between what is
> written and what I imagine.
> 
> Is there any project already started about this? I'd be very happy to
> join.

Not that I'm aware of unfortunately.  It can always be started though.

> - basically tcapdiff takes *6* filenames.
>   tcapdiff src1 src2 common_src1 common_src2 only_src1 only_src2
>
>   "src1" and "src2" is two cap files that we use as input. tcapdiff
>   will try to look for difference between these two files.

Ok, makes sense.

>   Usually, src1 and src2 comes from different source, and hence each
>   packet owns different timestamp. Sometimes we need to ignore those
>   time stamps. But when we output "common" part, user might need those
>   timestamp again. Hence, we need two file to output "common" part of
>   capture file.

Is it necessary to have two "common" output files?  Couldn't the
timestamps be recovered from the original files if needed?

>   And for packets exist only in src1, shall go to "only_src1", and
>   those which exist only in src2 shall go to "only_src2".

Ok.

> - (Though I'm not really coming up with good image yet)
>   We need lots of options for which part of packet to compare, and
>   which part of packet to ignore when we compare packets.
> 
>   ignoring timestamp is one of the idea.
> 
> - We need "ignoring the sequence" option.

Ok.  Can I assume you would want to be able to compare / ignore any of
the fields that Wireshark / Tshark supports?  I'm not sure how
complicated the programming would be without looking into it further.

> Hope to be of any help to this project, for it already have helped me
> a lot :)

We welcome everyone to help :).  I can't promise I can work on this
project any, though I may (especially if I can convince myself it would
be useful - how often and what other situations would it be used in?).


Steve