And the timings: $ time tshark -n -T fields -e frame.number -e frame.time_epoch -e ip.proto -e ip.src -e ip.dst -e ip.len -e tcp.srcport -e tcp.dstport -e tcp.seq -e tcp.len -e tcp.nxtseq -e tcp.flags.syn -e tcp.flags.ack -r Traffic2*.cap > /dev/null
real 2m36.218s user 2m33.604s sys 0m2.464s $ time tshark -Xlua_script:seq.lua -n -T fields -e frame.number -e frame.time_epoch -e ip.proto -e ip.src -e ip.dst -e ip.len -e tcp.srcport -e tcp.dstport -e tcp.seq -e tcp.seq_abs -e tcp.len -e tcp.nxtseq -e tcp.flags.syn -e tcp.flags.ack -r Traffic2*.cap > /dev/null real 3m4.884s user 3m1.468s sys 0m3.396s $ python -c "print (184-156) / 156." 0.179487179487 -Chema On Thu, Mar 30, 2017 at 10:16 AM, Chema Gonzalez <[email protected]> wrote: > On Thu, Mar 30, 2017 at 10:03 AM, Peter Wu <[email protected]> wrote: >> On Thu, Mar 30, 2017 at 09:40:13AM -0700, Chema Gonzalez wrote: >> [..] >>> > Alternatively, you could use a Lua post-dissector to parse out the >>> > buffer that backs the field ("seq.range" below): >>> > >>> > tshark -Xlua_script:seq.lua -Tfields -e tcp.seq -e tcp.seq_abs ... >>> > >>> > -- seq.lua >>> > local myproto = Proto("dummy", "dummy description") >>> > myproto.fields.seq = ProtoField.uint32("tcp.seq_abs", "Abs seq no") >>> > local tcp_seq = Field.new("tcp.seq") >>> > function myproto.dissector(tvb, pinfo, tree) >>> > local seq = tcp_seq() >>> > if seq then >>> > tree:add(myproto.fields.seq, seq.range) >>> > end >>> > end >>> > register_postdissector(myproto) >>> Hmm.. When I saw this, I was worried about performance. I tried, and >>> it only adds an extra 20% time. It solves my problem faster than >>> writing a patch to add tcp.seqraw. >>> >>> Thanks a lot! >> >> Great, that is a good trace off I suppose :-) >> >> Though 20% is still a lot. Is somebody interested to do some profiling? >> Chema, what is your environment (OS, OS version) and the approximate >> description of your data (pcap with x frames and y% TCP). > Linux 3.13.0-108. > > The trace is 1.4 GB long, 1.5M full packets, almost all http/tcp. > > $ tcpdump -n -nn -r Traffic2*cap|wc -l > ... > 1538474 > $ tcpdump -n -nn -r Traffic2*cap tcp |wc -l > ... > 1538464 > > -Chema > > >> -- >> Kind regards, >> Peter Wu >> https://lekensteyn.nl >> ___________________________________________________________________________ >> Sent via: Wireshark-dev mailing list <[email protected]> >> Archives: https://www.wireshark.org/lists/wireshark-dev >> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev >> mailto:[email protected]?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
