On Thu, Mar 30, 2017 at 10:03 AM, Peter Wu <[email protected]> wrote: > On Thu, Mar 30, 2017 at 09:40:13AM -0700, Chema Gonzalez wrote: > [..] >> > Alternatively, you could use a Lua post-dissector to parse out the >> > buffer that backs the field ("seq.range" below): >> > >> > tshark -Xlua_script:seq.lua -Tfields -e tcp.seq -e tcp.seq_abs ... >> > >> > -- seq.lua >> > local myproto = Proto("dummy", "dummy description") >> > myproto.fields.seq = ProtoField.uint32("tcp.seq_abs", "Abs seq no") >> > local tcp_seq = Field.new("tcp.seq") >> > function myproto.dissector(tvb, pinfo, tree) >> > local seq = tcp_seq() >> > if seq then >> > tree:add(myproto.fields.seq, seq.range) >> > end >> > end >> > register_postdissector(myproto) >> Hmm.. When I saw this, I was worried about performance. I tried, and >> it only adds an extra 20% time. It solves my problem faster than >> writing a patch to add tcp.seqraw. >> >> Thanks a lot! > > Great, that is a good trace off I suppose :-) > > Though 20% is still a lot. Is somebody interested to do some profiling? > Chema, what is your environment (OS, OS version) and the approximate > description of your data (pcap with x frames and y% TCP). Linux 3.13.0-108.
The trace is 1.4 GB long, 1.5M full packets, almost all http/tcp. $ tcpdump -n -nn -r Traffic2*cap|wc -l ... 1538474 $ tcpdump -n -nn -r Traffic2*cap tcp |wc -l ... 1538464 -Chema > -- > Kind regards, > Peter Wu > https://lekensteyn.nl > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <[email protected]> > Archives: https://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev > mailto:[email protected]?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
