11

I'm having a problem with one of our customers' embedded computers. They seem to discard some network packets which they should not. I can capture the TCP communication from a managed switch outside the box using Wireshark and I can probably also manage to capture all data from within using tcpdump. I could load both dumps into Wireshark and compare them myself. But is there an easier way to only see the differences between two such dump files?

ygoe
  • 2,178
  • 7
  • 27
  • 39

2 Answers2

1

I can't remember if I've used it or not, but I think TPCAT can do what you're after.

TPCAT screenshot

Gaff
  • 18,569
  • 15
  • 57
  • 68
  • That one doesn't work. Or at least I can't figure out how to use it. It says no single packet would match. – ygoe Apr 01 '11 at 13:56
  • I think it's based on pcapdiff - does this do the job? https://www.eff.org/testyourisp/pcapdiff/ – Gaff Apr 01 '11 at 13:58
  • I seem to have used it the wrong way. Now I get the message that both captures match. I just need to find a way to drop single packets in the middle of the capture to test it. But it looks good (from a functional perspective, not a stylistic...), thank you! – ygoe Apr 01 '11 at 14:16
  • Yeah, it's rare to come across a network tool that's both very functional and very beautiful. :) Glad it helped though. – Gaff Apr 01 '11 at 14:18
0

Open both files with vimdiff in hexadecimal mode:

$ vimdiff file1.pcap file2.pcap

Once in vim, switch each window to hexadecimal mode:

:%!xxd

enter image description here

Diego Pino
  • 101
  • 2