On Thu, Mar 30, 2017 at 08:39:31AM -0700, Chema Gonzalez wrote:
> Hi,
>
> On Thu, Mar 30, 2017 at 12:23 AM, Pascal Quantin wrote:
> > Hi Chema,
> >
> > 2017-03-30 1:32 GMT+02:00 Chema Gonzalez:
> >>
> >> Hi,
> >>
> >> I'm using tshark to extract some fields from packet traces. Using `-e
> >> tcp.seq`, tshark prints the relative sequence number. I'd like to
> >> print the raw (absolute) at the same time. I don't think this is
> >> possible right now (but please let me know if that's the case).
> My goal was getting both at the same time. Unless I'm mistaken, I can
> only get either the relative or the absolute seq number.
If you can parse the PDML (XML) output (tshar -Tpdml), the data is
already there:
<proto name="tcp" showname="Transmission Control Protocol, Src Port: https (443), Dst Port: 52457 (52457), Seq: 1, Ack: 1, Len: 0" size="20" pos="34">
...
<field name="tcp.seq" showname="Sequence number: 1 (relative sequence number)" size="4" pos="38" show="1" value="eaee29e7"/>
<field name="tcp.ack" showname="Acknowledgment number: 1 (relative ack number)" size="4" pos="42" show="1" value="368808d2"/>
Here you cvan see that the relative seq number is 1 and that the
absolute value is eaee29e7 (hexadecimal for 3941476839).
Alternatively, you could use a Lua post-dissector to parse out the
buffer that backs the field ("seq.range" below):
tshark -Xlua_script:seq.lua -Tfields -e tcp.seq -e tcp.seq_abs ...
-- seq.lua
local myproto = Proto("dummy", "dummy description")
myproto.fields.seq = ProtoField.uint32("tcp.seq_abs", "Abs seq no")
local tcp_seq = Field.new("tcp.seq")
function myproto.dissector(tvb, pinfo, tree)
local seq = tcp_seq()
if seq then
tree:add(myproto.fields.seq, seq.range)
end
end
register_postdissector(myproto)
--
Kind regards,
Peter Wu
https://lekensteyn.nl
