Wireshark-dev: Re: [Wireshark-dev] tshark: access to tcp raw seq number

From: Chema Gonzalez <chema@xxxxxxxxxx>
Date: Thu, 30 Mar 2017 10:16:00 -0700
On Thu, Mar 30, 2017 at 10:03 AM, Peter Wu <peter@xxxxxxxxxxxxx> wrote:
> On Thu, Mar 30, 2017 at 09:40:13AM -0700, Chema Gonzalez wrote:
> [..]
>> > Alternatively, you could use a Lua post-dissector to parse out the
>> > buffer that backs the field ("seq.range" below):
>> >
>> >     tshark -Xlua_script:seq.lua -Tfields -e tcp.seq -e tcp.seq_abs ...
>> >
>> >     -- seq.lua
>> >     local myproto = Proto("dummy", "dummy description")
>> >     myproto.fields.seq = ProtoField.uint32("tcp.seq_abs", "Abs seq no")
>> >     local tcp_seq = Field.new("tcp.seq")
>> >     function myproto.dissector(tvb, pinfo, tree)
>> >         local seq = tcp_seq()
>> >         if seq then
>> >             tree:add(myproto.fields.seq, seq.range)
>> >         end
>> >     end
>> >     register_postdissector(myproto)
>> Hmm.. When I saw this, I was worried about performance. I tried, and
>> it only adds an extra 20% time. It solves my problem faster than
>> writing a patch to add tcp.seqraw.
>>
>> Thanks a lot!
>
> Great, that is a good trace off I suppose :-)
>
> Though 20% is still a lot. Is somebody interested to do some profiling?
> Chema, what is your environment (OS, OS version) and the approximate
> description of your data (pcap with x frames and y% TCP).
Linux 3.13.0-108.

The trace is 1.4 GB long, 1.5M full packets, almost all http/tcp.

$ tcpdump -n -nn -r Traffic2*cap|wc -l
...
1538474
$ tcpdump -n -nn -r Traffic2*cap tcp |wc -l
...
1538464

-Chema


> --
> Kind regards,
> Peter Wu
> https://lekensteyn.nl
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe