Wireshark mailing list archives
Re: match packets at sender and receiver
From: bart sikkes <b.sikkes () gmail com>
Date: Tue, 6 Apr 2010 15:49:49 +0200
hello, i still haven't tried the tool myself, but perhaps it could be useful for you: http://www.eff.org/testyourisp/pcapdiff/ good luck, bart On Tue, Apr 6, 2010 at 2:45 PM, Andrej van der Zee <andrejvanderzee () gmail com> wrote:
Hi Ian, Thank you for your reply.How many point samples do you need? How many comparisons are you making?I want to make an average for every second. The cap-files come from another department, but their should be many packets a second.If it's just a handful, what's wrong with the manual approach? Just locate a few matching packets in each capture (with TCP, *start* by just searching the second capture for some TCP sequence number in the first, which are likely to be unique within each capture unless it's quite large), and, well, compare their timestamps. It shouldn't take more than a minute, tops, per comparison you're doing.I have to do this for many cap files, for many different machines, on many platforms, at many occasions.Or if you're a shell scripter and have some control over the traffic in your sample captures, perhaps generate your own unique traffic - some "ping" with a unique data pattern, maybe. Then use tshark+some filtering, extract the timestamps using a shell script, and do a little work to compare and print the time deltas between the systems.I am using now libcap to read the packets. For starters, I am interested in all IP packets.Do you have more details on the testing you're trying to do; how much control you have over conditions (can you generate your own unique traffic between each host during a given test?), etc? That'd help with giving you some technique ideas.I have practically no control over the environment, because it is different all the time.Remember that if you're using the traffic captures to compare time, though, then any network latency will make your comparison less accurate.Yes that is another issue. For starters, I would like to match packets on both end of the connection (I know the IP address of both ends). Then, compare timestamps and somehow estimate and subtract the latency. But the latency is another topic, I will accept the accuracy-penalty for now. What I would like to know is how to match packets on both ends of the line, provided that I have the IP numbers. Are there any unique packet identifiers that appear in the cap-files on both ends? What should I use? For example, when I study the cap-file in Wireshark, I see under "Internet Protocol" an "Identification" number that seems to be incremented for packets over the same connection (or conversation?). Is this Identification number generated by Wireshark or is it really in the packet headers? Does it appear in both cap files? In that case, I could use a tuple <IP, Identification> to match packets on both ends. Or is there a better way? Thank you, Andrej ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- match packets at sender and receiver Andrej van der Zee (Apr 05)
- Re: match packets at sender and receiver Kevin Cullimore (Apr 06)
- Re: match packets at sender and receiver Andrej van der Zee (Apr 06)
- Re: match packets at sender and receiver Ian Schorr (Apr 06)
- Re: match packets at sender and receiver Andrej van der Zee (Apr 06)
- Re: match packets at sender and receiver bart sikkes (Apr 06)
- Re: match packets at sender and receiver Ian Schorr (Apr 06)
- Re: match packets at sender and receiver Andrej van der Zee (Apr 06)
- Re: match packets at sender and receiver Andrej van der Zee (Apr 20)
- Re: match packets at sender and receiver Andrej van der Zee (Apr 20)
- Re: match packets at sender and receiver Andrej van der Zee (Apr 06)
- Re: match packets at sender and receiver Kevin Cullimore (Apr 06)
- Re: match packets at sender and receiver Andrej van der Zee (Apr 06)
- Re: match packets at sender and receiver Kevin Cullimore (Apr 07)