Wireshark mailing list archives
Re: tshark: access to tcp raw seq number
From: Chema Gonzalez <chema () google com>
Date: Thu, 30 Mar 2017 10:16:00 -0700
On Thu, Mar 30, 2017 at 10:03 AM, Peter Wu <peter () lekensteyn nl> wrote:
On Thu, Mar 30, 2017 at 09:40:13AM -0700, Chema Gonzalez wrote: [..]Alternatively, you could use a Lua post-dissector to parse out the buffer that backs the field ("seq.range" below): tshark -Xlua_script:seq.lua -Tfields -e tcp.seq -e tcp.seq_abs ... -- seq.lua local myproto = Proto("dummy", "dummy description") myproto.fields.seq = ProtoField.uint32("tcp.seq_abs", "Abs seq no") local tcp_seq = Field.new("tcp.seq") function myproto.dissector(tvb, pinfo, tree) local seq = tcp_seq() if seq then tree:add(myproto.fields.seq, seq.range) end end register_postdissector(myproto)Hmm.. When I saw this, I was worried about performance. I tried, and it only adds an extra 20% time. It solves my problem faster than writing a patch to add tcp.seqraw. Thanks a lot!Great, that is a good trace off I suppose :-) Though 20% is still a lot. Is somebody interested to do some profiling? Chema, what is your environment (OS, OS version) and the approximate description of your data (pcap with x frames and y% TCP).
Linux 3.13.0-108. The trace is 1.4 GB long, 1.5M full packets, almost all http/tcp. $ tcpdump -n -nn -r Traffic2*cap|wc -l ... 1538474 $ tcpdump -n -nn -r Traffic2*cap tcp |wc -l ... 1538464 -Chema
-- Kind regards, Peter Wu https://lekensteyn.nl ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- tshark: access to tcp raw seq number Chema Gonzalez (Mar 29)
- Re: tshark: access to tcp raw seq number Pascal Quantin (Mar 30)
- Re: tshark: access to tcp raw seq number Chema Gonzalez (Mar 30)
- Re: tshark: access to tcp raw seq number Peter Wu (Mar 30)
- Re: tshark: access to tcp raw seq number Chema Gonzalez (Mar 30)
- Re: tshark: access to tcp raw seq number Peter Wu (Mar 30)
- Re: tshark: access to tcp raw seq number Chema Gonzalez (Mar 30)
- Re: tshark: access to tcp raw seq number Chema Gonzalez (Mar 30)
- Re: tshark: access to tcp raw seq number Chema Gonzalez (Mar 30)
- Re: tshark: access to tcp raw seq number Pascal Quantin (Mar 30)