How can I diff two network dumps from tcpdump or Wireshark?

Question

I'm having a problem with one of our customers' embedded computers. They seem to discard some network packets which they should not. I can capture the TCP communication from a managed switch outside the box using Wireshark and I can probably also manage to capture all data from within using tcpdump. I could load both dumps into Wireshark and compare them myself. But is there an easier way to only see the differences between two such dump files?

Gareth · Accepted Answer · 2017-04-20T16:32:33.427

1

I can't remember if I've used it or not, but I think TPCAT can do what you're after.

TPCAT screenshot

edited Apr 20 '17 at 16:32

answered Apr 01 '11 at 12:10

Gareth

19,080

score 0 · Answer 2 · answered Mar 04 '16 at 12:53

0

Open both files with vimdiff in hexadecimal mode:

$ vimdiff file1.pcap file2.pcap

Once in vim, switch each window to hexadecimal mode:

:%!xxd

answered Mar 04 '16 at 12:53

Diego Pino

101

How can I diff two network dumps from tcpdump or Wireshark?

2 Answers2