Ethereal-users: Re: [Ethereal-users] Checking TCP before and after firewall

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Joerg Mayer <jmayer@xxxxxxxxx>
Date: Fri, 22 Jun 2001 22:17:42 +0200
On Fri, Jun 22, 2001 at 01:50:19PM -0600, Tom Trenker wrote:
> I would like to use two ethereal sessions to compare some X11 packets
> before and after they have passed through a firewall. I think that if I
> could hack the print function to print the sequence number from the TCP
> header, and then a hex dump of the X11 data from the same packet, I could
> then use "diff" to show me what was changed.(I believe the firewall is
> dropping bits occasionally) If I use the current print function, the hex
> dump shows the whole packet, where there are legitimate changes due to
> network address translation, making a "diff" comparison rather useless.
> 
> Any suggestions, or pointers?

tethereal -V -r outside.pcap | sed 's/.../.../g' >outside-decoded.pcap
tethereal -V -r inside.pcap | sed 's/.../.../g' >inside-decoded.pcap
diff -u outside.pcap inside.pcap

The sed (perl, awk, whatever) part is to compensate for TCP seqno changes,
IP-Address changes and maybe delete the first few lines with timestamp
and layer 2 header. You may want to keep the frame number.

 Ciao
        Jörg

--
Joerg Mayer                                          <jmayer@xxxxxxxxx>
I found out that "pro" means "instead of" (as in proconsul). Now I know
what proactive means.