Wireshark-dev: Re: [Wireshark-dev] compare two capture files and io graph

From: Martin Visser <martinvisser99@xxxxxxxxx>
Date: Mon, 2 Feb 2009 07:25:11 +1100
Another alternative is to basically allow two separate instances of Wireshark (with 2 separate capture files), to have their IOGraph windows be displayed adjacent to each other. You might then have a tool, either graphical or via a filter, to be able to synchronise point in the graph. You could also then have the common horizonal scroller. You might also optionally overlay the graphs. The problem with merging the captures files is that you really still have to keep them separate to make all of the other deconding and detailed analysis is consistent.

Regards, Martin

MartinVisser99@xxxxxxxxx


On Sun, Feb 1, 2009 at 9:59 PM, michele <michele@xxxxxxxxx> wrote:
michele wrote:

> I need to compare two different capture files, looking for similarities
> in both of them. Using a modified version of IO Graph and a new field
> which counts the cumulative frames length, I'm plotting a cumulative
> graph of bytes over time. Now I want to (graphically) compare two
> different dumps; this means having two normalized curves [1] plotted in
> the same graph area.
>
> Do you have any implementation suggestion?

I try to respond to myself.

The capture A contains the packets exchanged during the access to three
different web sites, say 1, 2 and 3.
The capture B contains the packets exchanged during the access of the
web site 1.

(The modified version of file.c I'm using, performs a cumulative count
of frame length, separating the three different site downloads using a
delta value for the relative time field.)

The graphic comparison can be done in the following way:

- merge captures A and B
- (normalize the time of the two captures)
- try to find a match between A and B moving the horizontal scroll bar
of IOGraph window (a second new horizontal scroll bar must be added).

Is this reasonable for you?








___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe