I must filter pcap files by the first xxx Bytes per session - using sequence number could be the method for it - but only if I can filter on relative numbers - eg. first 10KB of each session - filter by relSqNUmber < 10.000
tcpdump does print out the relative sequence numbers - but by default filter on sequence number seems only absolute numbers to accept.
I tried using filter tcpdump -r fileabc.pcap 'tcp[4:4] = 0' or 'tcp[4:4] < 10000' which did not work - when entering the absolute number - fitler did work
No.
The filtering in tcpdump is done with the filtering mechanism in libpcap. That filtering mechanism can look at raw packet data and make decisions based on that.
However, what appears in the raw packet data of a TCP segment is the absolute sequence number. The relative sequence number is relative to the first sequence number in that direction, and must be calculated by subtracting the first sequence number from the absolute sequence number.
To do that, the program doing the filtering must save the first sequence numbers, for both directions, of all TCP connections it sees, determine which particular connection a particular TCP segment belongs to and what direction it's in, look up the appropriate connection, and subtract the appropriate first sequence number from the absolute sequence number, and do tests on that.
The filtering mechanism libpcap uses does not support keeping any persistent information such as that. If it were to use the eBPF mechanism supported in newer Linux kernels when doing a live capture, or were to have its own implementation of that mechanism when reading from a saved capture file, it might be able to do that, but I haven't checked to see whhether that would be possible.
Furthermore, if you don't capture the initial handshake of a TCP connection, the "relative sequence numbers" would be relative to the first packets, in each direction, that were captured, not relative to the beginning of the connection, as the sequence numbers at the beginning of the connection would be completely unavailable.
A separate filtering mechanism would have to be implemented in tcpdump to do that. (In Wireshark, that's exactly what is done; the "capture filter" mechanism in Wireshark is the libpcap capture mechanism, and the "display filter" in Wireshark is a separate mechanism that uses the values that Wireshark determines when it dissects packets.)