I'm having a problem with one of our customers' embedded computers. They seem to discard some network packets which they should not. I can capture the TCP communication from a managed switch outside the box using Wireshark and I can probably also manage to capture all data from within using tcpdump. I could load both dumps into Wireshark and compare them myself. But is there an easier way to only see the differences between two such dump files?
2 Answers
I can't remember if I've used it or not, but I think TPCAT can do what you're after.
-
That one doesn't work. Or at least I can't figure out how to use it. It says no single packet would match.– ygoeCommented Apr 1, 2011 at 13:56
-
I think it's based on pcapdiff - does this do the job? eff.org/testyourisp/pcapdiff– GarethCommented Apr 1, 2011 at 13:58
-
I seem to have used it the wrong way. Now I get the message that both captures match. I just need to find a way to drop single packets in the middle of the capture to test it. But it looks good (from a functional perspective, not a stylistic...), thank you!– ygoeCommented Apr 1, 2011 at 14:16
-
Yeah, it's rare to come across a network tool that's both very functional and very beautiful. :) Glad it helped though.– GarethCommented Apr 1, 2011 at 14:18
Open both files with vimdiff in hexadecimal mode:
$ vimdiff file1.pcap file2.pcap
Once in vim, switch each window to hexadecimal mode:
:%!xxd