Wireshark-users: [Wireshark-users] Comparing Capture Files from Multiple Locations
From: "Barry Constantine" <Barry.Constantine@xxxxxxxx>
Date: Thu, 9 Oct 2008 14:49:31 -0700
Principal Member of Technical Staff Hello Blake Thank you for the excellent tip. One question though; what happens when there is variable latency in the link (congestion), it would seem that a fixed time offset would cause packets to be ordered in correctly. Or am I looking at this the wrong way? Thanks, Barry -----Original Message----- From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of wireshark-users-request@xxxxxxxxxxxxx Sent: Thursday, October 09, 2008 10:29 AM To: wireshark-users@xxxxxxxxxxxxx Subject: Wireshark-users Digest, Vol 29, Issue 17 Send Wireshark-users mailing list submissions to wireshark-users@xxxxxxxxxxxxx To subscribe or unsubscribe via the World Wide Web, visit https://wireshark.org/mailman/listinfo/wireshark-users or, via email, send a message with subject or body 'help' to wireshark-users-request@xxxxxxxxxxxxx You can reach the person managing the list at wireshark-users-owner@xxxxxxxxxxxxx When replying, please edit your Subject line so it is more specific than "Re: Contents of Wireshark-users digest..." Today's Topics: 1. Comparing Capture Files from Multiple Locations (Barry Constantine) 2. Re: Mac OS 10.4 build? ( Nicol?s Christie ) 3. Re: Mac OS 10.4 build? (Ian Schorr) 4. Re: Comparing Capture Files from Multiple Locations (Sake Blok) 5. Re: Comparing Capture Files from Multiple Locations (Abhik Sarkar) 6. Re: tshark showing null values in the generated pdml file (Abhik Sarkar) 7. Graphing 802.11 contention (Steve Evans) ---------------------------------------------------------------------- Message: 1 Date: Wed, 8 Oct 2008 17:36:36 -0700 From: "Barry Constantine" <Barry.Constantine@xxxxxxxx> Subject: [Wireshark-users] Comparing Capture Files from Multiple Locations To: <wireshark-users@xxxxxxxxxxxxx> Message-ID: <6ECE57DF49376146B91A92A3C37EFC0E06AC7915@xxxxxxxxxxxxxxxxxxxx> Content-Type: text/plain; charset="iso-8859-1" Hello, If captures are performed at two locations (say a Web Browser workstation and Web Server), is there an easy way to compare both capture files to do somewhat of a "diff" function between the two capture files? I understand that timestamps, IP IDs, etc. will be different, this would be really more of a Layer 4+ level "diff" Thanks, Barry -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.wireshark.org/lists/wireshark-users/attachments/20081008/fc7c 4175/attachment.htm ------------------------------ Message: 2 Date: Wed, 8 Oct 2008 22:34:35 -0300 From: " Nicol?s Christie " <nicolas.christie@xxxxxxxxx> Subject: Re: [Wireshark-users] Mac OS 10.4 build? To: wireshark-users@xxxxxxxxxxxxx Message-ID: <6cac2fc10810081834y56b4c183j250ccfdc9b6b0a71@xxxxxxxxxxxxxx> Content-Type: text/plain; charset="iso-8859-1" Hi, thanks for the reply Stephen, Guy and Stig... and sorry, should have given some more info. I'm trying to use Wireshark 1.0.3 on an Intel based MacBook Pro with Mac OS 10.4. Apparently something does need OS 10.5. When opening the app, it opens X11, shows in my dock for a few seconds and then dissapears! I'm guessing because some checking went wrong and the app couldn't continue opening. As for compiling the code, software is not particulary my strongpoint, I'm an Electronics Engineering student, so I'm guessing I'd need some help with that. I did read the MacOS.readme file included in the source code, but I'd probably have more luck knitting a jacket! :) UNIX Command Line is uncharted territory... sorry :S _______________________ Nicol?s Christie nicolas.christie@xxxxxxxxx -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.wireshark.org/lists/wireshark-users/attachments/20081008/aefa 4726/attachment.htm ------------------------------ Message: 3 Date: Thu, 9 Oct 2008 14:40:08 +1000 From: "Ian Schorr" <ian.schorr@xxxxxxxxx> Subject: Re: [Wireshark-users] Mac OS 10.4 build? To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx> Message-ID: <99996da00810082140x55865837l659534f7d96640dc@xxxxxxxxxxxxxx> Content-Type: text/plain; charset="iso-8859-1" Not to go too off-topic, but I've been meaning to ask. Do you know what the reason for this is? Is it just lack of PPC equipment where the build systems are? Or some other reason? On Wed, Oct 8, 2008 at 2:05 PM, Stephen Fisher <stephentfisher@xxxxxxxxx>wrote: > Unfortunately, the pre-compiled > binary is Intel only right now. > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.wireshark.org/lists/wireshark-users/attachments/20081009/ad0c 8567/attachment.htm ------------------------------ Message: 4 Date: Thu, 9 Oct 2008 08:37:52 +0200 From: Sake Blok <sake@xxxxxxxxxx> Subject: Re: [Wireshark-users] Comparing Capture Files from Multiple Locations To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx> Message-ID: <20081009063752.GA20848@xxxxxxxxxxxxxxx> Content-Type: text/plain; charset=us-ascii Hi Barry, > If captures are performed at two locations (say a Web Browser workstation > and Web Server), is there an easy way to compare both capture files to do > somewhat of a "diff" function between the two capture files? > > I understand that timestamps, IP IDs, etc. will be different, this would > be really more of a Layer 4+ level "diff" There is no(t yet) upper layer diff function in (wire|t)shark and I'm not aware of any other program that has that functionality. However, it might be useful to synchronize the timestamps of the two tracefiles and then merge them into one file. That way you can follow the packets back and forth more easily. If we have a client and server capture like this: $ tshark -ta -r client.cap "tcp.flags.syn==1" 1 22:31:59.246452 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=1 2 22:31:59.248515 192.168.1.20 -> 192.168.1.46 TCP http > 43426 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=7 $ tshark -ta -r server.cap "tcp.flags.syn==1" 1 22:31:49.548529 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=1 2 22:31:49.548556 192.168.1.20 -> 192.168.1.46 TCP http > 43426 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=7 We can correct the server.cap file so that the timestamps match with the timestamps in client.cap with: editcap -t 9.698941 server.cap server-corrected.cap (see http://www.lovemytool.com/blog/2008/09/sake_blok.html for a guideline on how to calculate the proper time correction) Which results in: $ tshark -ta -r server-corrected.cap "tcp.flags.syn==1" 1 22:31:59.247470 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=1 2 22:31:59.247497 192.168.1.20 -> 192.168.1.46 TCP http > 43426 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=7 Now we can merge the two files and get: $ tshark -o "tcp.analyze_sequence_numbers:FALSE" -r cl_srv.cap 1 0.000000 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [SYN] Seq=2682727706 Win=65535 Len=0 MSS=1460 WS=1 2 0.001018 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [SYN] Seq=2682727706 Win=65535 Len=0 MSS=1460 WS=1 3 0.001045 192.168.1.20 -> 192.168.1.46 TCP http > 43426 [SYN, ACK] Seq=3963293254 Ack=2682727707 Win=5840 Len=0 MSS=1460 WS=7 4 0.002063 192.168.1.20 -> 192.168.1.46 TCP http > 43426 [SYN, ACK] Seq=3963293254 Ack=2682727707 Win=5840 Len=0 MSS=1460 WS=7 5 0.002100 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [ACK] Seq=2682727707 Ack=3963293255 Win=64000 Len=0 6 0.002472 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [ACK] Seq=2682727707 Ack=3963293255 Win=64000 Len=0 7 0.002689 192.168.1.46 -> 192.168.1.20 HTTP GET / HTTP/1.0 8 0.003082 192.168.1.46 -> 192.168.1.20 HTTP GET / HTTP/1.0 9 0.003118 192.168.1.20 -> 192.168.1.46 TCP http > 43426 [ACK] Seq=3963293255 Ack=2682727813 Win=46 Len=0 10 0.004058 192.168.1.20 -> 192.168.1.46 TCP http > 43426 [ACK] Seq=3963293255 Ack=2682727813 Win=46 Len=0 11 0.022906 192.168.1.20 -> 192.168.1.46 HTTP HTTP/1.1 200 OK (text/html) 12 0.024024 192.168.1.20 -> 192.168.1.46 HTTP HTTP/1.1 200 OK (text/html) 13 0.032044 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [FIN, ACK] Seq=2682727813 Ack=3963293630 Win=63812 Len=0 14 0.032508 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [FIN, ACK] Seq=2682727813 Ack=3963293630 Win=63812 Len=0 15 0.032544 192.168.1.20 -> 192.168.1.46 TCP http > 43426 [FIN, ACK] Seq=3963293630 Ack=2682727814 Win=46 Len=0 16 0.033867 192.168.1.20 -> 192.168.1.46 TCP http > 43426 [FIN, ACK] Seq=3963293630 Ack=2682727814 Win=46 Len=0 17 0.033897 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [ACK] Seq=2682727814 Ack=3963293631 Win=63812 Len=0 18 0.034434 192.168.1.46 -> 192.168.1.20 TCP 43426 > http [ACK] Seq=2682727814 Ack=3963293631 Win=63812 Len=0 (please note that I disabled the analysis of tcp sequence numbers as each packet is present twice in the tracefile, which messes up the analysis of tcp sequence numbers). Tip 1: when there was a routing hop in between the client and the server, also display mac-addresses, it will tell you where each packet was captured Tip 2: While you're at it, use colorfiltering in wireshark on the addresses to make it even more visible :-) Hope this helps, Cheers, Sake ------------------------------ Message: 5 Date: Thu, 9 Oct 2008 10:39:24 +0400 From: "Abhik Sarkar" <sarkar.abhik@xxxxxxxxx> Subject: Re: [Wireshark-users] Comparing Capture Files from Multiple Locations To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx> Message-ID: <c460e4040810082339g70ef71e7l8806e8a8a9e7448c@xxxxxxxxxxxxxx> Content-Type: text/plain; charset=UTF-8 There is a enhancement patch https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2589 which needs to be reviewed. For now, I don't think there is any feature like that, but perhaps someone else a better idea. On Thu, Oct 9, 2008 at 4:36 AM, Barry Constantine <Barry.Constantine@xxxxxxxx> wrote: > Hello, > > If captures are performed at two locations (say a Web Browser workstation > and Web Server), is there an easy way to compare both capture files to do > somewhat of a "diff" function between the two capture files? > > I understand that timestamps, IP IDs, etc. will be different, this would be > really more of a Layer 4+ level "diff" > > Thanks, > Barry > _______________________________________________ > Wireshark-users mailing list > Wireshark-users@xxxxxxxxxxxxx > https://wireshark.org/mailman/listinfo/wireshark-users > > ------------------------------ Message: 6 Date: Thu, 9 Oct 2008 13:50:11 +0400 From: "Abhik Sarkar" <sarkar.abhik@xxxxxxxxx> Subject: Re: [Wireshark-users] tshark showing null values in the generated pdml file To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx> Message-ID: <c460e4040810090250p69214b28x92ed77a4793df131@xxxxxxxxxxxxxx> Content-Type: text/plain; charset=UTF-8 On Tue, Oct 7, 2008 at 10:12 PM, siri m <svu004@xxxxxxxxx> wrote: > I have 2 questions: > > (1) If wireshark gui (0.99.6) can show the right values for the show and > value for the smpp message, was bug fix 1110 a temporary fix? I am not sure if that was a temporary fix or not, but a lot more things can be done in the GUI than the way in which the packet is exported to PDML. So, I don't think the two can be compared. My understanding is that the bug 1110 was reporting invalid characters in the PDML file and the handling of FT_NONE was changed accodingly. > > (2) Is there an alternative way to get the show and value present in the > smpp message? (previously with tethereal, we used to convert the smpp > capture file to pdml format and then, convert the hex value in the value > attribute of the pdml file to get the contents...). > I will review this and perhaps post a patch to enhance the handling. ------------------------------ Message: 7 Date: Thu, 9 Oct 2008 07:22:04 -0700 (PDT) From: Steve Evans <sc_evans@xxxxxxxxx> Subject: [Wireshark-users] Graphing 802.11 contention To: wireshark-users@xxxxxxxxxxxxx Message-ID: <92309.88659.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxx> Content-Type: text/plain; charset="iso-8859-7" Porting Vocera Badge to Symbol MC70 - Phase2 I would like to know if there is a proven method for either filtering or graphing 802.11 contention to establish a baseline to compare the differences when encountering latency problems. I thought of measuring Contention Free Period End over time but it doesn?t seem to show anything of value. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.wireshark.org/lists/wireshark-users/attachments/20081009/9c54 2d16/attachment.htm ------------------------------ _______________________________________________ Wireshark-users mailing list Wireshark-users@xxxxxxxxxxxxx https://wireshark.org/mailman/listinfo/wireshark-users End of Wireshark-users Digest, Vol 29, Issue 17 ***********************************************
- Follow-Ups:
- Prev by Date: Re: [Wireshark-users] Mac OS 10.4 build?
- Next by Date: Re: [Wireshark-users] Comparing Capture Files from Multiple Locations
- Previous by thread: Re: [Wireshark-users] Comparing Capture Files from Multiple Locations
- Next by thread: Re: [Wireshark-users] Comparing Capture Files from Multiple Locations
- Index(es):