1

I made a capture of the USB traffic with USBPcap and Wireshark to debug a HID touchscreen.

Now i have identified the interesting URB_INTERRUPT packets, but how do i compare the HID Data of those?

I added an example:

sample Data

I want to spot the binary differences to guess in which byte the x and y position is encoded, but i haven't found any diff tools for Wireshark. Also the "Copy Bytes ... as Raw Binary" gives me an empty clipboard, so using Sublime or any other text editor does also not work.

Improve this question

1 Answer 1

Reset to default
0

Comparing frames is fairly difficult.

I posted some Wireshark information with the difficulties and some Comm View (I use Comm View) that could be a little more hopeful.

Compare Wireshark frames

That actually sounds like a fun little project if it doesn't exist. You might be able to use the perl NET::PCAP library to ingest the file, then make the necessary comparison at the offset you desire. You could render the differences and frame numbers into html. I wish I had more time (and PERL knowledge) so I could give you more direction. Maybe someone else knows of something already built (or something that could be easily adapted).

I don't know all of your specifics, but maybe a dissector could be written for the industrial protocol you are analyzing and do away with the need to compare.

Compare frames in Comm View

Damaged frames are not counted in other charts and tables for the obvious reason: No part of a frame with the wrong CRC value is credible. It may have a completely wrong IP address, data payload, etc., although in real life such frames bear a resemblance to the original. For the same reason CRC Errors cannot be attributed to a particular wireless AP or station, as it's impossible to determine the real sender's MAC address.

Nevertheless, the user may want to check the Capture damaged frames box in the options, in which case damaged frames will also be shown in the packet list. By default, such frames are marked with red and have the "CRC" identifier shown in the Errors column of the Packets tab

Not all the wireless adapters are capable of passing damaged frames to the application level. Such functionality is guaranteed only for the recommended adapters supported by CommView for WiFi.

Improve this answer
2
  • Thanks for your answer. How could it be, that nobody so far was annoyed enough to compare Wireshark frames manually to actually build a tool to do so? Or why is this not a feature in Wireshark? I don't quite get the second part of your answer: What do CRC Errors have to do with my question?
    – Leon D
    Commented May 11, 2021 at 7:38
  • Comparing frames require the software vendor to build that facility in and so far it has not been done. The second part was just further indication of difficulty. Errors came up in the search through Comm View as part of why frames might be compared.
    – anon
    Commented May 11, 2021 at 11:01

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .