Wireshark mailing list archives
Re: match packets at sender and receiver
From: Ian Schorr <ian.schorr () gmail com>
Date: Tue, 6 Apr 2010 21:51:43 +1000
No automated way in Wireshark that I'm aware of. How many point samples do you need? How many comparisons are you making? If it's just a handful, what's wrong with the manual approach? Just locate a few matching packets in each capture (with TCP, *start* by just searching the second capture for some TCP sequence number in the first, which are likely to be unique within each capture unless it's quite large), and, well, compare their timestamps. It shouldn't take more than a minute, tops, per comparison you're doing. Or if you're a shell scripter and have some control over the traffic in your sample captures, perhaps generate your own unique traffic - some "ping" with a unique data pattern, maybe. Then use tshark+some filtering, extract the timestamps using a shell script, and do a little work to compare and print the time deltas between the systems. Do you have more details on the testing you're trying to do; how much control you have over conditions (can you generate your own unique traffic between each host during a given test?), etc? That'd help with giving you some technique ideas. Remember that if you're using the traffic captures to compare time, though, then any network latency will make your comparison less accurate. Once upon a time I had written a simple program that took two network captures taken on two time-synchronized capture devices, and outputted the time deltas between all matching TCP packets exchanged between systems. Its purpose was to "independently" and "transparently" measure network latencies from various points on the network over time, but it'd also probably work for what you're doing. I'm pretty sure it's long gone (7 or 8 years gone), but I'll try to remember to check for it when I'm in the office tomorrow. I suppose it wouldn't be TOO difficult to re-write, especially using Wireshark libs as a backend. -Ian On Tue, Apr 6, 2010 at 1:10 PM, Andrej van der Zee <andrejvanderzee () gmail com> wrote:
Hi, I was wondering if it is possible to match packets at the sender and receiver end of the connection. Suppose I have two cap-files for the same period between hosts A and B that communicate with each other, can I match packets that are send from A to B, as the packets are sniffed at both sides of the line? One of the problems I am trying to solve is to detect time differences between the two hosts, preferably on a per-second basis in case of possible clock skews. I thought maybe I could compare the timestamps at host A and B for the same packets, as a starting point. Any help would be appreciated. Thank you, Andrej ___________________________________________________________________________
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- match packets at sender and receiver Andrej van der Zee (Apr 05)
- Re: match packets at sender and receiver Kevin Cullimore (Apr 06)
- Re: match packets at sender and receiver Andrej van der Zee (Apr 06)
- Re: match packets at sender and receiver Ian Schorr (Apr 06)
- Re: match packets at sender and receiver Andrej van der Zee (Apr 06)
- Re: match packets at sender and receiver bart sikkes (Apr 06)
- Re: match packets at sender and receiver Ian Schorr (Apr 06)
- Re: match packets at sender and receiver Andrej van der Zee (Apr 06)
- Re: match packets at sender and receiver Andrej van der Zee (Apr 20)
- Re: match packets at sender and receiver Andrej van der Zee (Apr 20)
- Re: match packets at sender and receiver Andrej van der Zee (Apr 06)
- Re: match packets at sender and receiver Kevin Cullimore (Apr 06)
- Re: match packets at sender and receiver Andrej van der Zee (Apr 06)
- Re: match packets at sender and receiver Kevin Cullimore (Apr 07)