I often have situations where I need to compare packet captures taken simultaneously from multiple interfaces. Suppose, for instance, you have a set up like this and you want to compare captures taken at A,B,C, and D:
[pc](A)----------(B)[router1](C)----------{internet}--------[router3]------------(D)[server]
The problem is that the captures were not started exactly at the same time (they were initiated by four different people) so the four capture files do not line up, and the packets that are supposed to match between the files are found at different locations in each file. So, for example, packet #1 at (A) might be found at #231 at (B) and #17 at (C) and #843 at (D), but I don't know these diff values in advance so the matching packets can be found pretty much anywhere. To make matters worse, there is a lot of traffic generated and the captures are unfiltered so there is a lot of data which makes it harder to try to find the matching packets.
What can I do to make it easier to find the matching packets in the files?
No comments:
Post a Comment