Wireshark-dev: Re: [Wireshark-dev] tshark: access to tcp raw seq number
From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Thu, 30 Mar 2017 19:03:16 +0200
On Thu, Mar 30, 2017 at 09:40:13AM -0700, Chema Gonzalez wrote:
[..]
> > Alternatively, you could use a Lua post-dissector to parse out the
> > buffer that backs the field ("seq.range" below):
> >
> >     tshark -Xlua_script:seq.lua -Tfields -e tcp.seq -e tcp.seq_abs ...
> >
> >     -- seq.lua
> >     local myproto = Proto("dummy", "dummy description")
> >     myproto.fields.seq = ProtoField.uint32("tcp.seq_abs", "Abs seq no")
> >     local tcp_seq = Field.new("tcp.seq")
> >     function myproto.dissector(tvb, pinfo, tree)
> >         local seq = tcp_seq()
> >         if seq then
> >             tree:add(myproto.fields.seq, seq.range)
> >         end
> >     end
> >     register_postdissector(myproto)
> Hmm.. When I saw this, I was worried about performance. I tried, and
> it only adds an extra 20% time. It solves my problem faster than
> writing a patch to add tcp.seqraw.
> 
> Thanks a lot!

Great, that is a good trace off I suppose :-)

Though 20% is still a lot. Is somebody interested to do some profiling?
Chema, what is your environment (OS, OS version) and the approximate
description of your data (pcap with x frames and y% TCP).
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl