Network Trace Comparison
- Yuki Bradley Kondo
Packet-level comparison between two network traces (PCAP files) enables network engineers to efficiently detect discrepancies, anomalies, and unexpected behaviors within network traffic. This tool streamlines the analysis process, providing deeper insights into network performance and security.
Feature Overview:
The Network Trace Comparison tool allows users to:
Analyze Packet Counts: Easily compare the total number of packets in each network trace. In this release, the first trace contains 170 packets, while the second contains 389 packets.
Identify Unique Packets: The tool detects and highlights packets that are unique between the two traces, aiding in the discovery of discrepancies and abnormal network traffic.
Detailed Packet Comparison: Each unique packet is displayed with detailed information, including:
Protocol (e.g., TCP, ARP)
Timestamp
Source and Destination IP addresses
Ports
Packet flags (e.g., ACK)
Payload size
Example of Comparison Output:
First Trace Packet Count: 170 packets
Second Trace Packet Count: 389 packets
Unique Packet Count: 3 unique packets (up to 500 shown), including:
TCP Packet:
2013/01/07 23:54:40.715594, Diameter protocol,10.41.132.7:3868->10.41.33.6:3868, ACK flag, 40 bytes of data.ARP Packet: ARP response, identifier
42.TCP Packet:
2013/01/10 17:48:37.410277, Diameter protocol,10.41.132.7:3868->10.41.33.6:3868, ACK flag, 54 bytes of data.
Result Storage:
The detailed results are saved as a PCAP file for further analysis using popular network analysis tools. In this example, the comparison results are saved in: /cifs/capture/permanent/comparison_trace_result.pcap
How to Use the Feature:
Load the two network trace files you wish to compare.
Run the comparison, which will generate a summary report showing packet counts and unique packets.
Access the detailed comparison result in the output PCAP file, which can be further analyzed using packet analysis tools like Wireshark.