Wireshark-users: [Wireshark-users] Comparing Capture Files from Multiple Locations

From: "Barry Constantine" <Barry.Constantine@xxxxxxxx>
Date: Thu, 9 Oct 2008 14:49:31 -0700

Principal Member of Technical Staff

 



Hello Blake

Thank you for the excellent tip.

One question though; what happens when there is variable latency in the
link (congestion), it would seem that a fixed time offset would cause
packets to be ordered in correctly.

Or am I looking at this the wrong way?

Thanks,
Barry


-----Original Message-----



From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of
wireshark-users-request@xxxxxxxxxxxxx
Sent: Thursday, October 09, 2008 10:29 AM
To: wireshark-users@xxxxxxxxxxxxx
Subject: Wireshark-users Digest, Vol 29, Issue 17

Send Wireshark-users mailing list submissions to
	wireshark-users@xxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
	https://wireshark.org/mailman/listinfo/wireshark-users
or, via email, send a message with subject or body 'help' to
	wireshark-users-request@xxxxxxxxxxxxx

You can reach the person managing the list at
	wireshark-users-owner@xxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Wireshark-users digest..."


Today's Topics:

   1. Comparing Capture Files from Multiple Locations
      (Barry Constantine)
   2. Re: Mac OS 10.4 build? ( Nicol?s Christie )
   3. Re: Mac OS 10.4 build? (Ian Schorr)
   4. Re: Comparing Capture Files from	Multiple	Locations (Sake
Blok)
   5. Re: Comparing Capture Files from Multiple	Locations (Abhik Sarkar)
   6. Re: tshark showing null values in the generated	pdml file
      (Abhik Sarkar)
   7. Graphing 802.11 contention (Steve Evans)


----------------------------------------------------------------------

Message: 1
Date: Wed, 8 Oct 2008 17:36:36 -0700
From: "Barry Constantine" <Barry.Constantine@xxxxxxxx>
Subject: [Wireshark-users] Comparing Capture Files from Multiple
	Locations
To: <wireshark-users@xxxxxxxxxxxxx>
Message-ID:
	<6ECE57DF49376146B91A92A3C37EFC0E06AC7915@xxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Hello,
 
If captures are performed at two locations (say a Web Browser
workstation and Web Server), is there an easy way to compare both
capture files to do somewhat of  a "diff" function between the two
capture files?
 
I understand that timestamps, IP IDs, etc. will be different, this would
be really more of a Layer 4+ level "diff"
 
Thanks,
Barry
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://www.wireshark.org/lists/wireshark-users/attachments/20081008/fc7c
4175/attachment.htm 

------------------------------

Message: 2
Date: Wed, 8 Oct 2008 22:34:35 -0300
From: " Nicol?s Christie " <nicolas.christie@xxxxxxxxx>
Subject: Re: [Wireshark-users] Mac OS 10.4 build?
To: wireshark-users@xxxxxxxxxxxxx
Message-ID:
	<6cac2fc10810081834y56b4c183j250ccfdc9b6b0a71@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Hi, thanks for the reply Stephen, Guy and Stig... and sorry, should have
given some more info.

I'm trying to use Wireshark 1.0.3 on an Intel based MacBook Pro with Mac
OS
10.4. Apparently something does need OS 10.5. When opening the app, it
opens
X11, shows in my dock for a few seconds and then dissapears! I'm
guessing
because some checking went wrong and the app couldn't continue opening.

As for compiling the code, software is not particulary my strongpoint,
I'm
an Electronics Engineering student, so I'm guessing I'd need some help
with
that. I did read the MacOS.readme file included in the source code, but
I'd
probably have more luck knitting a jacket! :) UNIX Command Line is
uncharted
territory... sorry :S

_______________________
Nicol?s Christie
nicolas.christie@xxxxxxxxx
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://www.wireshark.org/lists/wireshark-users/attachments/20081008/aefa
4726/attachment.htm 

------------------------------

Message: 3
Date: Thu, 9 Oct 2008 14:40:08 +1000
From: "Ian Schorr" <ian.schorr@xxxxxxxxx>
Subject: Re: [Wireshark-users] Mac OS 10.4 build?
To: "Community support list for Wireshark"
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID:
	<99996da00810082140x55865837l659534f7d96640dc@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Not to go too off-topic, but I've been meaning to ask.  Do you know what
the
reason for this is?  Is it just lack of PPC equipment where the build
systems are?  Or some other reason?

On Wed, Oct 8, 2008 at 2:05 PM, Stephen Fisher
<stephentfisher@xxxxxxxxx>wrote:


> Unfortunately, the pre-compiled
> binary is Intel only right now.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://www.wireshark.org/lists/wireshark-users/attachments/20081009/ad0c
8567/attachment.htm 

------------------------------

Message: 4
Date: Thu, 9 Oct 2008 08:37:52 +0200
From: Sake Blok <sake@xxxxxxxxxx>
Subject: Re: [Wireshark-users] Comparing Capture Files from	Multiple
	Locations
To: Community support list for Wireshark
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID: <20081009063752.GA20848@xxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii

Hi Barry,

>    If captures are performed at two locations (say a Web Browser
workstation
>    and Web Server), is there an easy way to compare both capture files
to do
>    somewhat of  a "diff" function between the two capture files?
>     
>    I understand that timestamps, IP IDs, etc. will be different, this
would
>    be really more of a Layer 4+ level "diff"

There is no(t yet) upper layer diff function in (wire|t)shark and
I'm not aware of any other program that has that functionality. However,
it might be useful to synchronize the timestamps of the two tracefiles
and then merge them into one file. That way you can follow the packets
back and forth more easily.

If we have a client and server capture like this:

$ tshark -ta -r client.cap "tcp.flags.syn==1"
  1 22:31:59.246452 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [SYN]
Seq=0 Win=65535 Len=0 MSS=1460 WS=1
  2 22:31:59.248515 192.168.1.20 -> 192.168.1.46 TCP http > 43426 [SYN,
ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=7

$ tshark -ta -r server.cap "tcp.flags.syn==1"
  1 22:31:49.548529 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [SYN]
Seq=0 Win=65535 Len=0 MSS=1460 WS=1
  2 22:31:49.548556 192.168.1.20 -> 192.168.1.46 TCP http > 43426 [SYN,
ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=7

We can correct the server.cap file so that the timestamps match with
the timestamps in client.cap with:

editcap -t 9.698941 server.cap server-corrected.cap

(see http://www.lovemytool.com/blog/2008/09/sake_blok.html for a
guideline on how to calculate the proper time correction)

Which results in:

$ tshark -ta -r server-corrected.cap "tcp.flags.syn==1"
  1 22:31:59.247470 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [SYN]
Seq=0 Win=65535 Len=0 MSS=1460 WS=1
  2 22:31:59.247497 192.168.1.20 -> 192.168.1.46 TCP http > 43426 [SYN,
ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=7

Now we can merge the two files and get:

$ tshark -o "tcp.analyze_sequence_numbers:FALSE" -r cl_srv.cap
  1   0.000000 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [SYN]
Seq=2682727706 Win=65535 Len=0 MSS=1460 WS=1
  2   0.001018 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [SYN]
Seq=2682727706 Win=65535 Len=0 MSS=1460 WS=1
  3   0.001045 192.168.1.20 -> 192.168.1.46 TCP http > 43426 [SYN, ACK]
Seq=3963293254 Ack=2682727707 Win=5840 Len=0 MSS=1460 WS=7
  4   0.002063 192.168.1.20 -> 192.168.1.46 TCP http > 43426 [SYN, ACK]
Seq=3963293254 Ack=2682727707 Win=5840 Len=0 MSS=1460 WS=7
  5   0.002100 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [ACK]
Seq=2682727707 Ack=3963293255 Win=64000 Len=0
  6   0.002472 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [ACK]
Seq=2682727707 Ack=3963293255 Win=64000 Len=0
  7   0.002689 192.168.1.46 -> 192.168.1.20 HTTP GET / HTTP/1.0
  8   0.003082 192.168.1.46 -> 192.168.1.20 HTTP GET / HTTP/1.0
  9   0.003118 192.168.1.20 -> 192.168.1.46 TCP http > 43426 [ACK]
Seq=3963293255 Ack=2682727813 Win=46 Len=0
 10   0.004058 192.168.1.20 -> 192.168.1.46 TCP http > 43426 [ACK]
Seq=3963293255 Ack=2682727813 Win=46 Len=0
 11   0.022906 192.168.1.20 -> 192.168.1.46 HTTP HTTP/1.1 200 OK
(text/html)
 12   0.024024 192.168.1.20 -> 192.168.1.46 HTTP HTTP/1.1 200 OK
(text/html)
 13   0.032044 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [FIN, ACK]
Seq=2682727813 Ack=3963293630 Win=63812 Len=0
 14   0.032508 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [FIN, ACK]
Seq=2682727813 Ack=3963293630 Win=63812 Len=0
 15   0.032544 192.168.1.20 -> 192.168.1.46 TCP http > 43426 [FIN, ACK]
Seq=3963293630 Ack=2682727814 Win=46 Len=0
 16   0.033867 192.168.1.20 -> 192.168.1.46 TCP http > 43426 [FIN, ACK]
Seq=3963293630 Ack=2682727814 Win=46 Len=0
 17   0.033897 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [ACK]
Seq=2682727814 Ack=3963293631 Win=63812 Len=0
 18   0.034434 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [ACK]
Seq=2682727814 Ack=3963293631 Win=63812 Len=0

(please note that I disabled the analysis of tcp sequence numbers as
each packet is present twice in the tracefile, which messes up the
analysis of tcp sequence numbers).

Tip 1: when there was a routing hop in between the client and the
server,
       also display mac-addresses, it will tell you where each packet
       was captured

Tip 2: While you're at it, use colorfiltering in wireshark on the 
       addresses to make it even more visible :-)

Hope this helps,
Cheers,
    Sake


------------------------------

Message: 5
Date: Thu, 9 Oct 2008 10:39:24 +0400
From: "Abhik Sarkar" <sarkar.abhik@xxxxxxxxx>
Subject: Re: [Wireshark-users] Comparing Capture Files from Multiple
	Locations
To: "Community support list for Wireshark"
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID:
	<c460e4040810082339g70ef71e7l8806e8a8a9e7448c@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=UTF-8

There is a enhancement patch
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2589 which needs
to be reviewed. For now, I don't think there is any feature like that,
but perhaps someone else a better idea.

On Thu, Oct 9, 2008 at 4:36 AM, Barry Constantine
<Barry.Constantine@xxxxxxxx> wrote:
> Hello,
>
> If captures are performed at two locations (say a Web Browser
workstation
> and Web Server), is there an easy way to compare both capture files to
do
> somewhat of  a "diff" function between the two capture files?
>
> I understand that timestamps, IP IDs, etc. will be different, this
would be
> really more of a Layer 4+ level "diff"
>
> Thanks,
> Barry
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users
>
>


------------------------------

Message: 6
Date: Thu, 9 Oct 2008 13:50:11 +0400
From: "Abhik Sarkar" <sarkar.abhik@xxxxxxxxx>
Subject: Re: [Wireshark-users] tshark showing null values in the
	generated	pdml file
To: "Community support list for Wireshark"
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID:
	<c460e4040810090250p69214b28x92ed77a4793df131@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=UTF-8

On Tue, Oct 7, 2008 at 10:12 PM, siri m <svu004@xxxxxxxxx> wrote:
> I have 2 questions:
>
> (1) If wireshark gui (0.99.6) can show the right values for the show
and
> value for the smpp message, was bug fix 1110 a temporary fix?
I am not sure if that was a temporary fix or not, but a lot more
things can be done in the GUI than the way in which the packet is
exported to PDML. So, I don't think the two can be compared. My
understanding is that the bug 1110 was reporting invalid characters in
the PDML file and the handling of FT_NONE was changed accodingly.

>
> (2) Is there an alternative way to get the show and value present in
the
> smpp message? (previously with tethereal, we used to convert the smpp
> capture file to pdml format and then, convert the hex value in the
value
> attribute of the pdml file to get the contents...).
>
I will review this and perhaps post a patch to enhance the handling.


------------------------------

Message: 7
Date: Thu, 9 Oct 2008 07:22:04 -0700 (PDT)
From: Steve Evans <sc_evans@xxxxxxxxx>
Subject: [Wireshark-users] Graphing 802.11 contention
To: wireshark-users@xxxxxxxxxxxxx
Message-ID: <92309.88659.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-7"

Porting Vocera Badge to Symbol MC70 - Phase2



I
would like to know if there is a proven method for either filtering or
graphing
802.11 contention to establish a baseline to compare the differences
when
encountering latency problems. I thought of measuring Contention Free
Period End over time but it doesn?t
seem to show anything of value.




      
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://www.wireshark.org/lists/wireshark-users/attachments/20081009/9c54
2d16/attachment.htm 

------------------------------

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users


End of Wireshark-users Digest, Vol 29, Issue 17
***********************************************