Wireshark · Wireshark-dev: Re: [Wireshark-dev] tshark: access to tcp raw seq number

Wireshark-dev: Re: [Wireshark-dev] tshark: access to tcp raw seq number

From: Chema Gonzalez <chema@xxxxxxxxxx>

Date: Thu, 30 Mar 2017 09:40:13 -0700

On Thu, Mar 30, 2017 at 9:15 AM, Peter Wu <peter@xxxxxxxxxxxxx> wrote:
>> My goal was getting both at the same time. Unless I'm mistaken, I can
>> only get either the relative or the absolute seq number.
>
> If you can parse the PDML (XML) output (tshar -Tpdml), the data is
> already there:
>
>       <proto name="tcp" showname="Transmission Control Protocol, Src Port: https (443), Dst Port: 52457 (52457), Seq: 1, Ack: 1, Len: 0" size="20" pos="34">
>       ...
>
>         <field name="tcp.seq" showname="Sequence number: 1    (relative sequence number)" size="4" pos="38" show="1" value="eaee29e7"/>
>         <field name="tcp.ack" showname="Acknowledgment number: 1    (relative ack number)" size="4" pos="42" show="1" value="368808d2"/>
>
> Here you cvan see that the relative seq number is 1 and that the
> absolute value is eaee29e7 (hexadecimal for 3941476839).
I'm trying to process very large traces efficiently. Parsing xml is
likely a bad option.

> Alternatively, you could use a Lua post-dissector to parse out the
> buffer that backs the field ("seq.range" below):
>
>     tshark -Xlua_script:seq.lua -Tfields -e tcp.seq -e tcp.seq_abs ...
>
>     -- seq.lua
>     local myproto = Proto("dummy", "dummy description")
>     myproto.fields.seq = ProtoField.uint32("tcp.seq_abs", "Abs seq no")
>     local tcp_seq = Field.new("tcp.seq")
>     function myproto.dissector(tvb, pinfo, tree)
>         local seq = tcp_seq()
>         if seq then
>             tree:add(myproto.fields.seq, seq.range)
>         end
>     end
>     register_postdissector(myproto)
Hmm.. When I saw this, I was worried about performance. I tried, and
it only adds an extra 20% time. It solves my problem faster than
writing a patch to add tcp.seqraw.

Thanks a lot!

-Chema



> --
> Kind regards,
> Peter Wu
> https://lekensteyn.nl
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

Follow-Ups:
- Re: [Wireshark-dev] tshark: access to tcp raw seq number
  - From: Peter Wu

References:
- [Wireshark-dev] tshark: access to tcp raw seq number
  - From: Chema Gonzalez
- Re: [Wireshark-dev] tshark: access to tcp raw seq number
  - From: Pascal Quantin
- Re: [Wireshark-dev] tshark: access to tcp raw seq number
  - From: Chema Gonzalez
- Re: [Wireshark-dev] tshark: access to tcp raw seq number
  - From: Peter Wu

Prev by Date: Re: [Wireshark-dev] tshark: access to tcp raw seq number
Next by Date: Re: [Wireshark-dev] tshark: access to tcp raw seq number
Previous by thread: Re: [Wireshark-dev] tshark: access to tcp raw seq number
Next by thread: Re: [Wireshark-dev] tshark: access to tcp raw seq number
Index(es):
- Date
- Thread