Wireshark-dev: Re: [Wireshark-dev] tshark: access to tcp raw seq number

From: Chema Gonzalez <chema@xxxxxxxxxx>
Date: Thu, 30 Mar 2017 10:17:32 -0700
And the timings:

$ time tshark -n -T fields -e frame.number -e frame.time_epoch -e
ip.proto -e ip.src -e ip.dst -e ip.len -e tcp.srcport -e tcp.dstport
-e tcp.seq -e tcp.len -e tcp.nxtseq -e tcp.flags.syn -e tcp.flags.ack
-r Traffic2*.cap > /dev/null

real  2m36.218s
user  2m33.604s
sys 0m2.464s

$ time tshark -Xlua_script:seq.lua -n -T fields -e frame.number -e
frame.time_epoch -e ip.proto -e ip.src -e ip.dst -e ip.len -e
tcp.srcport -e tcp.dstport -e tcp.seq -e tcp.seq_abs -e tcp.len -e
tcp.nxtseq -e tcp.flags.syn -e tcp.flags.ack -r Traffic2*.cap >
/dev/null

real  3m4.884s
user  3m1.468s
sys 0m3.396s

$ python -c "print (184-156) / 156."
0.179487179487

-Chema



On Thu, Mar 30, 2017 at 10:16 AM, Chema Gonzalez <chema@xxxxxxxxxx> wrote:
> On Thu, Mar 30, 2017 at 10:03 AM, Peter Wu <peter@xxxxxxxxxxxxx> wrote:
>> On Thu, Mar 30, 2017 at 09:40:13AM -0700, Chema Gonzalez wrote:
>> [..]
>>> > Alternatively, you could use a Lua post-dissector to parse out the
>>> > buffer that backs the field ("seq.range" below):
>>> >
>>> >     tshark -Xlua_script:seq.lua -Tfields -e tcp.seq -e tcp.seq_abs ...
>>> >
>>> >     -- seq.lua
>>> >     local myproto = Proto("dummy", "dummy description")
>>> >     myproto.fields.seq = ProtoField.uint32("tcp.seq_abs", "Abs seq no")
>>> >     local tcp_seq = Field.new("tcp.seq")
>>> >     function myproto.dissector(tvb, pinfo, tree)
>>> >         local seq = tcp_seq()
>>> >         if seq then
>>> >             tree:add(myproto.fields.seq, seq.range)
>>> >         end
>>> >     end
>>> >     register_postdissector(myproto)
>>> Hmm.. When I saw this, I was worried about performance. I tried, and
>>> it only adds an extra 20% time. It solves my problem faster than
>>> writing a patch to add tcp.seqraw.
>>>
>>> Thanks a lot!
>>
>> Great, that is a good trace off I suppose :-)
>>
>> Though 20% is still a lot. Is somebody interested to do some profiling?
>> Chema, what is your environment (OS, OS version) and the approximate
>> description of your data (pcap with x frames and y% TCP).
> Linux 3.13.0-108.
>
> The trace is 1.4 GB long, 1.5M full packets, almost all http/tcp.
>
> $ tcpdump -n -nn -r Traffic2*cap|wc -l
> ...
> 1538474
> $ tcpdump -n -nn -r Traffic2*cap tcp |wc -l
> ...
> 1538464
>
> -Chema
>
>
>> --
>> Kind regards,
>> Peter Wu
>> https://lekensteyn.nl
>> ___________________________________________________________________________
>> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
>> Archives:    https://www.wireshark.org/lists/wireshark-dev
>> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>>              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe