Wireshark-users: [Wireshark-users] Diffing network traces

From: "david m. richter" <richterd@xxxxxxxxxxxxxx>
Date: Tue, 4 Dec 2007 10:27:47 -0500 (EST)
	Hello,

	I'm curious about diffing packet captures -- we've just started a 
project to evaluate a commerical product that aims to eliminate P2P 
traffic (hm..) and we want to see what it's doing.

	Naturally, wireshark will factor heavily into this, but we're 
wondering what else we can use or do when comparing input/output captures 
through this network device -- we'll end up with a lot of data, and we're 
chiefly interested in the differences between the captures.

	We've looked at little things like the EFF's pcapdiff... which, 
while interesting, doesn't (yet?) actually do quite what you'd imagine, 
given its name.  Doing things by hand in the shell with some combination 
of tshark/editcap/awk/sort/etc seems to be common, but again could be 
unwieldy given that we want to trace, e.g., long-running bittorrent 
traffic.
	
	Many, many people must've been faced with a task like this, and we 
figure that the wireshark community is probably a great place to start for 
advice and experience.  Any suggestions would be greatly appreciated -- 
thanks very much,

	d
	.
_____
 david m. richter
 CITI -- Center for Information Technology Integration
 http://www.citi.umich.edu