And the timings:
$ time tshark -n -T fields -e frame.number -e frame.time_epoch -e
ip.proto -e ip.src -e ip.dst -e ip.len -e tcp.srcport -e tcp.dstport
-e tcp.seq -e tcp.len -e tcp.nxtseq -e tcp.flags.syn -e tcp.flags.ack
-r Traffic2*.cap > /dev/null
real 2m36.218s
user 2m33.604s
sys 0m2.464s
$ time tshark -Xlua_script:seq.lua -n -T fields -e frame.number -e
frame.time_epoch -e ip.proto -e ip.src -e ip.dst -e ip.len -e
tcp.srcport -e tcp.dstport -e tcp.seq -e tcp.seq_abs -e tcp.len -e
tcp.nxtseq -e tcp.flags.syn -e tcp.flags.ack -r Traffic2*.cap >
/dev/null
real 3m4.884s
user 3m1.468s
sys 0m3.396s
$ python -c "print (184-156) / 156."
0.179487179487
-Chema
On Thu, Mar 30, 2017 at 10:16 AM, Chema Gonzalez <chema@xxxxxxxxxx> wrote:
> On Thu, Mar 30, 2017 at 10:03 AM, Peter Wu <peter@xxxxxxxxxxxxx> wrote:
>> On Thu, Mar 30, 2017 at 09:40:13AM -0700, Chema Gonzalez wrote:
>> [..]
>>> > Alternatively, you could use a Lua post-dissector to parse out the
>>> > buffer that backs the field ("seq.range" below):
>>> >
>>> > tshark -Xlua_script:seq.lua -Tfields -e tcp.seq -e tcp.seq_abs ...
>>> >
>>> > -- seq.lua
>>> > local myproto = Proto("dummy", "dummy description")
>>> > myproto.fields.seq = ProtoField.uint32("tcp.seq_abs", "Abs seq no")
>>> > local tcp_seq = Field.new("tcp.seq")
>>> > function myproto.dissector(tvb, pinfo, tree)
>>> > local seq = tcp_seq()
>>> > if seq then
>>> > tree:add(myproto.fields.seq, seq.range)
>>> > end
>>> > end
>>> > register_postdissector(myproto)
>>> Hmm.. When I saw this, I was worried about performance. I tried, and
>>> it only adds an extra 20% time. It solves my problem faster than
>>> writing a patch to add tcp.seqraw.
>>>
>>> Thanks a lot!
>>
>> Great, that is a good trace off I suppose :-)
>>
>> Though 20% is still a lot. Is somebody interested to do some profiling?
>> Chema, what is your environment (OS, OS version) and the approximate
>> description of your data (pcap with x frames and y% TCP).
> Linux 3.13.0-108.
>
> The trace is 1.4 GB long, 1.5M full packets, almost all http/tcp.
>
> $ tcpdump -n -nn -r Traffic2*cap|wc -l
> ...
> 1538474
> $ tcpdump -n -nn -r Traffic2*cap tcp |wc -l
> ...
> 1538464
>
> -Chema
>
>
>> --
>> Kind regards,
>> Peter Wu
>> https://lekensteyn.nl
>> ___________________________________________________________________________
>> Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
>> Archives: https://www.wireshark.org/lists/wireshark-dev
>> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>> mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe