NFS stops responding
Benjamin Scott
dragonhawk at gmail.com
Mon Apr 5 12:58:03 EDT 2010
On Mon, Apr 5, 2010 at 9:15 AM, Kevin D. Clark
<kevin_d_clark at comcast.net> wrote:
>> Is there anything like a "diff" utility for pcap captures?
>
> I'm still giving some thought into how I'd actually do this in general.
Hmmm.
The application I was thinking of was taking captures at various
points where the traffic is nominally identical, to see if it really
*is* identical. So capture on the sender, on the destination, and on
one or more uninvolved machines between (monitor ports). Then compare
to see if the nominally identical captures really are, or if not,
where things started getting munged unexpectedly.
Just knowing that things diverge is likely to give one a tremendous
amount of information. Report the packet number and/or time stamp,
and you can then bring that offset up in the regular viewer and start
looking. Sure beats comparing 100s or 1000s (or more!) of packets by
hand.
If you wanted to get *really* fancy, you could craft a plugin for
the Wireshark GUI that would highlight differences, but that seems
like it would not be worth the effort.
Synchronization might be an issue on a busy network. You're likely
to capture more packets on some hosts than others, unless you somehow
manage to start all captures "simultaneously". In some cases, you
might simply be able to do this "by hand" -- examine captures to find
where they line up, and then give an offset for one capture. Perhaps
you could designate a certain filter match as the start package --
i.e., "start comparing after you see a TCP SYN to port 80" or
something like that. If needed, I suppose one could invent a special
"start comparing" datagram which could be sent after all the cameras
are running, like the slate clapper used in movies.
-- Ben
More information about the gnhlug-discuss
mailing list