Nwdiff compares two files. With its special way to display diferences, this free tool enables one to identify differences to a single bit. It also grants some insight into the structure of a file.
There's a plenty of programs to compare files. Most of them can operate on text files only. Others can compare binary files, but express differences found in enless lists. Of course most hex editors like 010 and WinHex can compare binary files, too. Usually such tools use colors to mark differences in a hex view.
Belden Software choosed another and in my opinion clearly laid out way to display the differences for their free tool nwdiff.
The screen consists of four square displays. They show a section of 64 kiB in size. PgUp and PgDown keys navigate to the previous or next chunk of data. The top row displays both files - bit by bit. This might be unusual at first, but after a short period of time one could identify regions of apparently different function at a glance.
In order to produce the sample pictures I saved an eventlog of Windows Vista at two different points in time. Vista uses a proprietary binary file format to store events. Even at a glance one can identify different "bands". I don't want to discuss their function in this article, though.
In the bottom row both files are actually compared. The left display shows the result of a bit by bit XOR operation. A light green pixel marks a difference in both files while equal bits remain dark.
A massive block at the end attracts attention. It is caused by entries which were added to the log after the first sample had been taken. At the top there's a dark region which represents matching entries in both files.
Near the top a careful observer might spot some green dots. In fact there's a section header, containing the number of and a pointer to the last entry along with some other data needed for housekeeping.
In order to recognize the meaning of these differences, one should change from the pixel view to the conventional hex view. This can be done with a well-aimed click at the proper pixel (or at a button, for the clumsy like me). Nwdiff then shows both files in hex, marking the differences in red.
The last of the four displays shows an overlay view of both files. Set bits are drawn either in red or in green, depending on the file they belong to. Bits set in both files are marked in yellow.
Nwdiff helped me a lot to develop a better understanding of the Vista Eventlog internals. Its distinct look and feel allows one to catch the "rhythm" of an unknown file format and to identify differences with a glimpse.
