Wireshark-users: Re: [Wireshark-users] Plotting TCP Sequence Number Against Timestamp Option Valu
Harry Trieu <htrieu@...> writes:
> Does anyone know of a way to take a packet capture and plot TCP sequence
numbers against timestamp option values?
You can use tshark to print the fields you want and if you want an actual
plot, you can then import the column data into a spreadsheet and then plot
just plot it from there.
To get the columns you want, look into the -T fields and -e <field> options.
For example:
tshark -r afile.pcap -T fields -e tcp.seq -e tcp.options.timestamp.tsval
The sequence #'s displayed may or may not be relative sequence #'s,
depending upon the TCP preference. You can change the way the sequence #'s
are displayed by passing the "-o tcp.relative_sequence_numbers:TRUE" or "-o
tcp.relative_sequence_numbers:FALSE" option to tshark.
In order for the data to make the most sense, you'll probably need to filter
your capture file to isolate a particular stream, and then a particular
direction so you get meaningful sequence #'s. For example:
tshark -r afile.pcap -2R "ip.src eq 1.1.1.1 and tcp.srcport eq 11111 and
ip.dst eq 2.2.2.2 and tcp.dstport eq 22222" -T fields -e tcp.seq -e
tcp.options.timestamp.tsval
For more information, refer to
https://www.wireshark.org/docs/man-pages/tshark.html
Hope it helps.
- Chris