On Thu, Mar 30, 2017 at 10:03 AM, Peter Wu <peter@xxxxxxxxxxxxx> wrote:
> On Thu, Mar 30, 2017 at 09:40:13AM -0700, Chema Gonzalez wrote:
> [..]
>> > Alternatively, you could use a Lua post-dissector to parse out the
>> > buffer that backs the field ("seq.range" below):
>> >
>> > tshark -Xlua_script:seq.lua -Tfields -e tcp.seq -e tcp.seq_abs ...
>> >
>> > -- seq.lua
>> > local myproto = Proto("dummy", "dummy description")
>> > myproto.fields.seq = ProtoField.uint32("tcp.seq_abs", "Abs seq no")
>> > local tcp_seq = Field.new("tcp.seq")
>> > function myproto.dissector(tvb, pinfo, tree)
>> > local seq = tcp_seq()
>> > if seq then
>> > tree:add(myproto.fields.seq, seq.range)
>> > end
>> > end
>> > register_postdissector(myproto)
>> Hmm.. When I saw this, I was worried about performance. I tried, and
>> it only adds an extra 20% time. It solves my problem faster than
>> writing a patch to add tcp.seqraw.
>>
>> Thanks a lot!
>
> Great, that is a good trace off I suppose :-)
>
> Though 20% is still a lot. Is somebody interested to do some profiling?
> Chema, what is your environment (OS, OS version) and the approximate
> description of your data (pcap with x frames and y% TCP).
Linux 3.13.0-108.
The trace is 1.4 GB long, 1.5M full packets, almost all http/tcp.
$ tcpdump -n -nn -r Traffic2*cap|wc -l
...
1538474
$ tcpdump -n -nn -r Traffic2*cap tcp |wc -l
...
1538464
-Chema
> --
> Kind regards,
> Peter Wu
> https://lekensteyn.nl
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives: https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe