I'm getting the same data (UDP packets) from two different sources (on 2 different NICs).
I'd like to figure out if one source is "faster" than the other, by comparing the reception timestamps packet by packet.
to do so, I plan to snoop both interfaces at the same time, reconcile packets, and compare timestamps accordingly.
however I'm having issues with the output of snoop: in order to reconcile each packet properly, I would need to have "one line" of data per packet, but the different snoop options I found are not giving me that. the closest I could find is "snoop -x 0" that will display in both hexadecimal and ascii, but I don't need hexa, and I need the ascii on one single line…
any idea on how to achieve this ?
Best Answer
Tell snoop to write the packets to a file (-o file) and load it with Wireshark.
If you're going to sniff for a long period of time and you're not interested in the packets' actual contents, tell snoop to limit it to the first X bytes so you only record the headers (eg. -s 120).