Ethereal-dev: RE: [Ethereal-dev] Displaying and comparing two traces ...

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Visser, Martin (SNO)" <Martin.Visser@xxxxxxxxxx>
Date: Mon, 9 Jul 2001 09:20:05 +0800 
Given NAT, and application level proxies it does make things difficult.
Given that however I would imagine you ought to be define a mapping between
the two ends, saying the trace1.ip.dest ~= trace2.ip.dest (or tcp ports if
necessary) and then do the comparison. The other was would be construct a
hash of the data payload and then compare the two looking for a stream of
similar hashes. ( It reminds a bit of how I think they do DNA matching with
all light and dark bands lined up side by side). Also using NTP to
syncronise time stamps (and making assumptions about the bounds of
communication delay ) might help



Martin Visser
Network Consultant - Compaq Global Services

Compaq Computer Australia
410 Concord Road
Rhodes, Sydney NSW 2138
Australia

Phone: +61-2-9022-5630
Mobile: +61-411-254-513
Fax:+61-2-9022-7001
Email:martin.visser@xxxxxxxxxx



-----Original Message-----
From: John McDermott [mailto:jjm@xxxxxxxxxx]
Sent: Sunday, 8 July 2001 2:08 AM
To: rsharpe@xxxxxxxxxx; ethereal-dev@xxxxxxxxxxxx
Subject: Re: [Ethereal-dev] Displaying and comparing two traces ...


Richard,
This could be quite useful, but I have two thoughts:
1) It would be nearly impossible to find matches as proxy-based
firewalls by their nature entail two connections: one from inside host
to firewall and one from firewall to outside host.  Thus, matching ident
fields would not be possible.  Sure, one could find datagrams from host
a to host b in both traces, but I'm not sure how to find the heuristic
to match the packets.  Size won't work as MTUs and windows may differ
along the (up to) 5 firewall path.

2) It seems as though the goal here is not to dissect packets (a task at
which ethereal excels), but to compare packets. How about having
ethereal save "short-form" traces (similar to the top pane on the
display) and use, e.g., perl to compare them?

--john

Richard Sharpe wrote:
...
> X said that even though both machines were in the same organization,
> there was a large number of firewalls between the two machines (greater
> than or equal to 5), and X was looking for ways to figure out what was
> going wrong.

> 
> I envision the following:
> 
> +------------------------+-----------------------+
> | Packet 1 from first    | blank as no match     |
> | Packet 2 from first    | Packet 1 from second  |
> | blank since no match   | Packet 2 from second  |
> | Packet 3 from first    | Packet 3 from first   |
> ...
> 
> Now, I realize that this will require some [considerable] changes.
> Firstly, ethereal will have to be taught how to deal with two separate
> traces at once, and I think it currenly cannot do that.
> 
> Secondly, there are the issues of how you would indicate a match. My
> thinking is, and this ignores non-IP protocols, match on SrcIP, DstIP,
> and Ident fields ... And perhaps allow the user to specify other fields
> to match on ...
> 
> It sounds like this could be very useful in comparing traces, and in our
> complex modern networks, I imagine a number of people want to do this. I
> know I have in the past.
> 


-- 
John McDermott, Writer and Consultant
J-K International, Ltd.
V +1 505/377-6293  F +1 505/377-6313
jjm@xxxxxxxxxx

_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev