Wireshark mailing list archives
Re: [Wireshark-users] Plotting TCP Sequence Number Against Timestamp Option Value?
From: Christopher Maynard <Christopher.Maynard () gtech com>
Date: Mon, 8 Dec 2014 15:49:59 +0000 (UTC)
Harry Trieu <htrieu@...> writes:
Does anyone know of a way to take a packet capture and plot TCP sequence
numbers against timestamp option values? You can use tshark to print the fields you want and if you want an actual plot, you can then import the column data into a spreadsheet and then plot just plot it from there. To get the columns you want, look into the -T fields and -e <field> options. For example: tshark -r afile.pcap -T fields -e tcp.seq -e tcp.options.timestamp.tsval The sequence #'s displayed may or may not be relative sequence #'s, depending upon the TCP preference. You can change the way the sequence #'s are displayed by passing the "-o tcp.relative_sequence_numbers:TRUE" or "-o tcp.relative_sequence_numbers:FALSE" option to tshark. In order for the data to make the most sense, you'll probably need to filter your capture file to isolate a particular stream, and then a particular direction so you get meaningful sequence #'s. For example: tshark -r afile.pcap -2R "ip.src eq 1.1.1.1 and tcp.srcport eq 11111 and ip.dst eq 2.2.2.2 and tcp.dstport eq 22222" -T fields -e tcp.seq -e tcp.options.timestamp.tsval For more information, refer to https://www.wireshark.org/docs/man-pages/tshark.html Hope it helps. - Chris ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Plotting TCP Sequence Number Against Timestamp Option Value? Harry Trieu (Dec 07)
- Re: [Wireshark-users] Plotting TCP Sequence Number Against Timestamp Option Value? Christopher Maynard (Dec 08)