hello,
i still haven't tried the tool myself, but perhaps it could be useful for you:
http://www.eff.org/testyourisp/pcapdiff/
good luck,
bart
On Tue, Apr 6, 2010 at 2:45 PM, Andrej van der Zee
<andrejvanderzee@xxxxxxxxx> wrote:
> Hi Ian,
>
> Thank you for your reply.
>
>> How many point samples do you need? How many comparisons are you making?
>
> I want to make an average for every second. The cap-files come from
> another department, but their should be many packets a second.
>
>>
>> If it's just a handful, what's wrong with the manual approach? Just
>> locate a few matching packets in each capture (with TCP, *start* by
>> just searching the second capture for some TCP sequence number in the
>> first, which are likely to be unique within each capture unless it's
>> quite large), and, well, compare their timestamps. It shouldn't take
>> more than a minute, tops, per comparison you're doing.
>
> I have to do this for many cap files, for many different machines, on
> many platforms, at many occasions.
>
>
>>
>> Or if you're a shell scripter and have some control over the traffic
>> in your sample captures, perhaps generate your own unique traffic -
>> some "ping" with a unique data pattern, maybe. Then use tshark+some
>> filtering, extract the timestamps using a shell script, and do a
>> little work to compare and print the time deltas between the systems.
>
> I am using now libcap to read the packets. For starters, I am
> interested in all IP packets.
>
>
>> Do you have more details on the testing you're trying to do; how much
>> control you have over conditions (can you generate your own unique
>> traffic between each host during a given test?), etc? That'd help
>> with giving you some technique ideas.
>
> I have practically no control over the environment, because it is
> different all the time.
>
>>
>>
>> Remember that if you're using the traffic captures to compare time,
>> though, then any network latency will make your comparison less
>> accurate.
>>
>
> Yes that is another issue. For starters, I would like to match packets
> on both end of the connection (I know the IP address of both ends).
> Then, compare timestamps and somehow estimate and subtract the
> latency. But the latency is another topic, I will accept the
> accuracy-penalty for now.
>
> What I would like to know is how to match packets on both ends of the
> line, provided that I have the IP numbers. Are there any unique packet
> identifiers that appear in the cap-files on both ends? What should I
> use? For example, when I study the cap-file in Wireshark, I see under
> "Internet Protocol" an "Identification" number that seems to be
> incremented for packets over the same connection (or conversation?).
> Is this Identification number generated by Wireshark or is it really
> in the packet headers? Does it appear in both cap files? In that case,
> I could use a tuple <IP, Identification> to match packets on both
> ends.
>
> Or is there a better way?
>
> Thank you,
> Andrej
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
