Wireshark · Ethereal-dev: Re: [Ethereal-dev] Displaying and comparing two traces ...

Ethereal-dev: Re: [Ethereal-dev] Displaying and comparing two traces ...

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: John McDermott <jjm@xxxxxxxxxx>

Date: Sat, 07 Jul 2001 10:08:18 -0600

Richard,
This could be quite useful, but I have two thoughts:
1) It would be nearly impossible to find matches as proxy-based
firewalls by their nature entail two connections: one from inside host
to firewall and one from firewall to outside host.  Thus, matching ident
fields would not be possible.  Sure, one could find datagrams from host
a to host b in both traces, but I'm not sure how to find the heuristic
to match the packets.  Size won't work as MTUs and windows may differ
along the (up to) 5 firewall path.

2) It seems as though the goal here is not to dissect packets (a task at
which ethereal excels), but to compare packets. How about having
ethereal save "short-form" traces (similar to the top pane on the
display) and use, e.g., perl to compare them?

--john

Richard Sharpe wrote:
...
> X said that even though both machines were in the same organization,
> there was a large number of firewalls between the two machines (greater
> than or equal to 5), and X was looking for ways to figure out what was
> going wrong.

> 
> I envision the following:
> 
> +------------------------+-----------------------+
> | Packet 1 from first    | blank as no match     |
> | Packet 2 from first    | Packet 1 from second  |
> | blank since no match   | Packet 2 from second  |
> | Packet 3 from first    | Packet 3 from first   |
> ...
> 
> Now, I realize that this will require some [considerable] changes.
> Firstly, ethereal will have to be taught how to deal with two separate
> traces at once, and I think it currenly cannot do that.
> 
> Secondly, there are the issues of how you would indicate a match. My
> thinking is, and this ignores non-IP protocols, match on SrcIP, DstIP,
> and Ident fields ... And perhaps allow the user to specify other fields
> to match on ...
> 
> It sounds like this could be very useful in comparing traces, and in our
> complex modern networks, I imagine a number of people want to do this. I
> know I have in the past.
> 

-- 
John McDermott, Writer and Consultant
J-K International, Ltd.
V +1 505/377-6293  F +1 505/377-6313
jjm@xxxxxxxxxx

Follow-Ups:
- Re: [Ethereal-dev] Displaying and comparing two traces ...
  - From: Pavel Mores

References:
- [Ethereal-dev] Displaying and comparing two traces ...
  - From: Richard Sharpe

Prev by Date: Re: [Ethereal-dev] patch for MTP3 (+= ANSI support)
Next by Date: [Ethereal-dev] SMB_LOGON dissector
Previous by thread: [Ethereal-dev] Displaying and comparing two traces ...
Next by thread: Re: [Ethereal-dev] Displaying and comparing two traces ...
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$