Wireshark mailing list archives

Re: tshark: access to tcp raw seq number

From: Peter Wu <peter () lekensteyn nl>
Date: Thu, 30 Mar 2017 18:15:25 +0200

On Thu, Mar 30, 2017 at 08:39:31AM -0700, Chema Gonzalez wrote:

Hi,

On Thu, Mar 30, 2017 at 12:23 AM, Pascal Quantin wrote:

Hi Chema,

2017-03-30 1:32 GMT+02:00 Chema Gonzalez:


Hi,

I'm using tshark to extract some fields from packet traces. Using `-e
tcp.seq`, tshark prints the relative sequence number. I'd like to
print the raw (absolute) at the same time. I don't think this is
possible right now (but please let me know if that's the case).

My goal was getting both at the same time. Unless I'm mistaken, I can
only get either the relative or the absolute seq number.


If you can parse the PDML (XML) output (tshar -Tpdml), the data is
already there:

      <proto name="tcp" showname="Transmission Control Protocol, Src Port: https (443), Dst Port: 52457 (52457), Seq: 
1, Ack: 1, Len: 0" size="20" pos="34">
      ...

        <field name="tcp.seq" showname="Sequence number: 1    (relative sequence number)" size="4" pos="38" show="1" 
value="eaee29e7"/>
        <field name="tcp.ack" showname="Acknowledgment number: 1    (relative ack number)" size="4" pos="42" show="1" 
value="368808d2"/>

Here you cvan see that the relative seq number is 1 and that the
absolute value is eaee29e7 (hexadecimal for 3941476839).

Alternatively, you could use a Lua post-dissector to parse out the
buffer that backs the field ("seq.range" below):

    tshark -Xlua_script:seq.lua -Tfields -e tcp.seq -e tcp.seq_abs ...

    -- seq.lua
    local myproto = Proto("dummy", "dummy description")
    myproto.fields.seq = ProtoField.uint32("tcp.seq_abs", "Abs seq no")
    local tcp_seq = Field.new("tcp.seq")
    function myproto.dissector(tvb, pinfo, tree)
        local seq = tcp_seq()
        if seq then
            tree:add(myproto.fields.seq, seq.range)
        end
    end
    register_postdissector(myproto)
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

tshark: access to tcp raw seq number Chema Gonzalez (Mar 29)
- Re: tshark: access to tcp raw seq number Pascal Quantin (Mar 30)
  - Re: tshark: access to tcp raw seq number Chema Gonzalez (Mar 30)
    - Re: tshark: access to tcp raw seq number Peter Wu (Mar 30)
    - Re: tshark: access to tcp raw seq number Chema Gonzalez (Mar 30)
    - Re: tshark: access to tcp raw seq number Peter Wu (Mar 30)
    - Re: tshark: access to tcp raw seq number Chema Gonzalez (Mar 30)
    - Re: tshark: access to tcp raw seq number Chema Gonzalez (Mar 30)