Wireshark-users: Re: [Wireshark-users] Comparing Capture Files from Multiple Locations
From: Sake Blok <sake@xxxxxxxxxx>
Date: Thu, 9 Oct 2008 08:37:52 +0200
Hi Barry,

>    If captures are performed at two locations (say a Web Browser workstation
>    and Web Server), is there an easy way to compare both capture files to do
>    somewhat of  a "diff" function between the two capture files?
>     
>    I understand that timestamps, IP IDs, etc. will be different, this would
>    be really more of a Layer 4+ level "diff"

There is no(t yet) upper layer diff function in (wire|t)shark and
I'm not aware of any other program that has that functionality. However,
it might be useful to synchronize the timestamps of the two tracefiles
and then merge them into one file. That way you can follow the packets
back and forth more easily.

If we have a client and server capture like this:

$ tshark -ta -r client.cap "tcp.flags.syn==1"
  1 22:31:59.246452 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [SYN]
Seq=0 Win=65535 Len=0 MSS=1460 WS=1
  2 22:31:59.248515 192.168.1.20 -> 192.168.1.46 TCP http > 43426 [SYN,
ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=7

$ tshark -ta -r server.cap "tcp.flags.syn==1"
  1 22:31:49.548529 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [SYN]
Seq=0 Win=65535 Len=0 MSS=1460 WS=1
  2 22:31:49.548556 192.168.1.20 -> 192.168.1.46 TCP http > 43426 [SYN,
ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=7

We can correct the server.cap file so that the timestamps match with
the timestamps in client.cap with:

editcap -t 9.698941 server.cap server-corrected.cap

(see http://www.lovemytool.com/blog/2008/09/sake_blok.html for a
guideline on how to calculate the proper time correction)

Which results in:

$ tshark -ta -r server-corrected.cap "tcp.flags.syn==1"
  1 22:31:59.247470 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [SYN]
Seq=0 Win=65535 Len=0 MSS=1460 WS=1
  2 22:31:59.247497 192.168.1.20 -> 192.168.1.46 TCP http > 43426 [SYN,
ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=7

Now we can merge the two files and get:

$ tshark -o "tcp.analyze_sequence_numbers:FALSE" -r cl_srv.cap
  1   0.000000 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [SYN]
Seq=2682727706 Win=65535 Len=0 MSS=1460 WS=1
  2   0.001018 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [SYN]
Seq=2682727706 Win=65535 Len=0 MSS=1460 WS=1
  3   0.001045 192.168.1.20 -> 192.168.1.46 TCP http > 43426 [SYN, ACK]
Seq=3963293254 Ack=2682727707 Win=5840 Len=0 MSS=1460 WS=7
  4   0.002063 192.168.1.20 -> 192.168.1.46 TCP http > 43426 [SYN, ACK]
Seq=3963293254 Ack=2682727707 Win=5840 Len=0 MSS=1460 WS=7
  5   0.002100 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [ACK]
Seq=2682727707 Ack=3963293255 Win=64000 Len=0
  6   0.002472 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [ACK]
Seq=2682727707 Ack=3963293255 Win=64000 Len=0
  7   0.002689 192.168.1.46 -> 192.168.1.20 HTTP GET / HTTP/1.0
  8   0.003082 192.168.1.46 -> 192.168.1.20 HTTP GET / HTTP/1.0
  9   0.003118 192.168.1.20 -> 192.168.1.46 TCP http > 43426 [ACK]
Seq=3963293255 Ack=2682727813 Win=46 Len=0
 10   0.004058 192.168.1.20 -> 192.168.1.46 TCP http > 43426 [ACK]
Seq=3963293255 Ack=2682727813 Win=46 Len=0
 11   0.022906 192.168.1.20 -> 192.168.1.46 HTTP HTTP/1.1 200 OK
(text/html)
 12   0.024024 192.168.1.20 -> 192.168.1.46 HTTP HTTP/1.1 200 OK
(text/html)
 13   0.032044 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [FIN, ACK]
Seq=2682727813 Ack=3963293630 Win=63812 Len=0
 14   0.032508 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [FIN, ACK]
Seq=2682727813 Ack=3963293630 Win=63812 Len=0
 15   0.032544 192.168.1.20 -> 192.168.1.46 TCP http > 43426 [FIN, ACK]
Seq=3963293630 Ack=2682727814 Win=46 Len=0
 16   0.033867 192.168.1.20 -> 192.168.1.46 TCP http > 43426 [FIN, ACK]
Seq=3963293630 Ack=2682727814 Win=46 Len=0
 17   0.033897 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [ACK]
Seq=2682727814 Ack=3963293631 Win=63812 Len=0
 18   0.034434 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [ACK]
Seq=2682727814 Ack=3963293631 Win=63812 Len=0

(please note that I disabled the analysis of tcp sequence numbers as
each packet is present twice in the tracefile, which messes up the
analysis of tcp sequence numbers).

Tip 1: when there was a routing hop in between the client and the server,
       also display mac-addresses, it will tell you where each packet
       was captured

Tip 2: While you're at it, use colorfiltering in wireshark on the 
       addresses to make it even more visible :-)

Hope this helps,
Cheers,
    Sake