First off, I apologize if you receive this twice -- I'd subscribed
to the list with the wrong email and I'm not sure this went through
properly the first time. Sorry for any dupes.
Hello,
I'm curious about diffing packet captures -- we've just started a
project to evaluate a commerical product that aims to eliminate P2P
traffic (hm..) and we want to see what it's doing.
Naturally, wireshark will factor heavily into this, but we're
wondering what else we can use or do when comparing input/output captures
through this network device -- we'll end up with a lot of data, and we're
chiefly interested in the differences between the captures.
We've looked at little things like the EFF's pcapdiff... which,
while interesting, doesn't (yet?) actually do quite what you'd imagine,
given its name. Doing things by hand in the shell with some combination
of tshark/editcap/awk/sort/etc seems to be common, but again could be
unwieldy given that we want to trace, e.g., long-running bittorrent
traffic.
Many, many people must've been faced with a task like this, and we
figure that the wireshark community is probably a great place to start for
advice and experience. Any suggestions would be greatly appreciated --
thanks very much,
d
.
_____
david m. richter
CITI -- Center for Information Technology Integration
http://www.citi.umich.edu
