Hi Ted, The file was from this repo: https://github.com/chrissanders/packets <https://github.com/chrissanders/packets> I converted the file from PCAPNG format to PCAP then to JSON for comparison—all using Wireshark. Which brings up another point, I think once we get the PCAP functionality nailed down, I’d like to see what would be involved in getting Drill to read PCAPNG as well. But one thing at a time… — C
> On Jan 2, 2018, at 02:00, Ted Dunning <[email protected]> wrote: > > > I was also interested in adding the TCP Sequence and Ack numbers as well. > > tcp_sequence is already there. Copy that and modify with a different offset > for the ack number. > > And then do the same for flags. > > I will have a test patch sometime this week, I think. We can compare gists > and such. > > > From: Charles Givre <[email protected]> > Sent: Monday, January 1, 2018 12:28:17 PM > To: [email protected] > Cc: Ted Dunning > Subject: PCAP Issues > > Hello all, > I was playing with the PCAP functionality in Drill and I wanted to add the > TCP flags to the data that Drill is returning. I was also interested in > adding the TCP Sequence and Ack numbers as well. I noticed that the code as > written currently has a function in Packet.java which returns the TCP > Sequence number, however this was never added to the schema, so I added that > and rebuilt Drill, however, it doesn’t seem to be returning the correct > result. The file I was querying is attached to this email, and should in all > cases return a sequence number of zero. > > Questions: > 1. Could someone please take a look at the code for the tcp_sequence and see > if I did something wrong, or if the offset is not being calculated correctly > 2. I’m trying to figure out the offsets for the various TCP flags. I would > think that the offset should be PacketConstants.ETHER_HEADER_LENGTH + > getIPHeaderLength() +13 to get the word that has the flags and then from > there, access the individual bits. However, this doesn’t seem to work. What > am I missing? > Thanks and Happy New Year! > - C
