On Fri, Nov 16, 2007 at 10:57:33AM +0900, Kenichi Okuyama wrote:
> I'm currently looking for "diff" tool for tcpdump/wireshark capture
> files. I found similar topic in "Wishlist" section of wiki page
> (GUI:48.). But there seems to be some difference between what is
> written and what I imagine.
>
> Is there any project already started about this? I'd be very happy to
> join.
Not that I'm aware of unfortunately. It can always be started though.
> - basically tcapdiff takes *6* filenames.
> tcapdiff src1 src2 common_src1 common_src2 only_src1 only_src2
>
> "src1" and "src2" is two cap files that we use as input. tcapdiff
> will try to look for difference between these two files.
Ok, makes sense.
> Usually, src1 and src2 comes from different source, and hence each
> packet owns different timestamp. Sometimes we need to ignore those
> time stamps. But when we output "common" part, user might need those
> timestamp again. Hence, we need two file to output "common" part of
> capture file.
Is it necessary to have two "common" output files? Couldn't the
timestamps be recovered from the original files if needed?
> And for packets exist only in src1, shall go to "only_src1", and
> those which exist only in src2 shall go to "only_src2".
Ok.
> - (Though I'm not really coming up with good image yet)
> We need lots of options for which part of packet to compare, and
> which part of packet to ignore when we compare packets.
>
> ignoring timestamp is one of the idea.
>
> - We need "ignoring the sequence" option.
Ok. Can I assume you would want to be able to compare / ignore any of
the fields that Wireshark / Tshark supports? I'm not sure how
complicated the programming would be without looking into it further.
> Hope to be of any help to this project, for it already have helped me
> a lot :)
We welcome everyone to help :). I can't promise I can work on this
project any, though I may (especially if I can convince myself it would
be useful - how often and what other situations would it be used in?).
Steve
