Wireshark-users: Re: [Wireshark-users] Comparing packets

From: Stephen Fisher <stephentfisher@xxxxxxxxx>
Date: Tue, 12 Jun 2007 16:51:17 -0700
On Wed, May 23, 2007 at 06:14:53PM +0100, Piers Kittel wrote:

> So, the computers were run at the same time to capture the packets 
> going between device A and B.  I've got 2 files, like 
> A-20070522-162040.gz and B-20070522-162040.gz.  I've merged the two, 
> and filtered out the packets I'm not interested in.  Naturally, I see 
> double of nearly all packets.  What I'm interested in is to find 
> packets that failed to reach the other side, so I'd like to filter out 
> all packets that arrived successfully - how do I do this?

> Packet 4 failed to arrive however.  How do I filter out Packets 1 and 
> 2 but not 3?

There currently isn't a way to detect duplicate packets in Wireshark 
that I know of.  What would be needed is some sort of duplicate 
detection that compares the payload of each packet against each other 
packet.  That would be computationally expensive, so it might be best 
left as an option that you run one time, perhaps as part of the merge 
captures process.  Would it work for you to simply be told which are 
duplicates or would you prefer them to be displayed in the protocol tree 
(by default the middle pane) and be filterable?  It would be best if you 
could go to http://bugs.wireshark.org and submit a bug report requesting 
this and mark it as an "enhancement request."  Thanks!


Steve