I am trying to query these two attributes. But then none of the packets contain these attributes will show up. please help. thanks, print(pkt.tcp) print(pkt.tcp.analysis_ack_rtt) print(pkt.tcp.analysis.acks_frame)
Those are generated fields created by Wireshark when the capture is read in.
doc/README.dissector:
proto_item_set_generated()
--------------------------
proto_item_set_generated is used to mark fields as not being read from the
captured data directly, but inferred from one or more values.
They are set in packet-tcp.c
/* encapsulate all proto_tree_add_xxx in ifs so we only print what
data we actually have */
if(ta->frame_acked) {
item = proto_tree_add_uint(tree, hf_tcp_analysis_acks_frame,
tvb, 0, 0, ta->frame_acked);
proto_item_set_generated(item);
/* only display RTT if we actually have something we are acking */
if( ta->ts.secs || ta->ts.nsecs ) {
item = proto_tree_add_time(tree, hf_tcp_analysis_ack_rtt,
tvb, 0, 0, &ta->ts);
proto_item_set_generated(item);
}
}
Thanks for the fast reply,
I still have a few questions
if tcp_analysis->frame_acked is defined, RTT and frame_acked will be deferred using proto_tree_add_* functions, right? I assume this is run by wireshark to populate those fields in the program.
The code I used is like this:
print(pkt.ip.src, pkt.ip.dst, pkt.tcp.ack, pkt.tcp.seq, pkt.tcp.flags) // always working
pkt.tcp.pretty_print() //dumps the content in tcp packet, can display info of packets including ack packet if I dont have the next line which tried to query the two optional fields; it can't print any ack packet when I tried to query ...
Checking first with tshark to verify fields exist:
$ tshark -r ./mycapture.pcap -T fields -e frame.number -e tcp.analysis.acks_frame -e tcp.analysis.ack_rtt -c 5
1
2 1 0.000051000
3
4 3 0.004343000
5
$
$ python3
Python 3.6.9 (default, Apr 18 2020, 01:56:04)
[GCC 8.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import pyshark
>>> cap = pyshark.FileCapture('./mycapture.pcap')
>>> print(cap[1].tcp.analysis_acks_frame);
1
>>> print(cap[1].tcp.analysis_ack_rtt);
0.000051000
>>>
Accessing packet data: mentions dir to see the fields:
>>> dir(cap[1].tcp);
['', 'DATA_LAYER', '__class__', '__delattr__', '__dict__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattr__', '__getattribute__', '__getstate__', '__gt__', '__hash__', '__init__', '__init_subclass__', '__le__', '__lt__', '__module__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__setstate__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__', '_all_fields', '_field_prefix', '_get_all_field_lines', '_get_all_fields_with_alternates', '_get_field_or_layer_repr', '_get_field_repr', '_layer_name', '_sanitize_field_name', 'ack', 'analysis', 'analysis_ack_rtt', 'analysis_acks_frame', 'checksum', 'checksum_status', 'dstport', 'field_names ...Asked: 2020-07-04 21:52:59 +0000
Seen: 400 times
Last updated: Jul 05 '20
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
As your question is apparently about pyshark, which is an external project, it's off-topic for this site and you should contact the support channels for that project.