Wireshark · Wireshark-users: Re: [Wireshark-users] how to print time with epoch formation by tshark

Wireshark-users: Re: [Wireshark-users] how to print time with epoch formation by tshark

Date: Mon, 7 Jul 2008 21:51:34 +0200

On Fri, 4 Jul 2008 12:18:43 +0800, Ian jonhson wrote:
>Unluckily,  I am not permitted to use GUI. So is it
>possible to achieve this?
>
>On Tue, Jul 1, 2008 at 11:20 PM, Stephen Fisher wrote:
>> On Tue, Jul 01, 2008 at 05:01:19PM +0800, Ian jonhson wrote:
>>> I would like to print the captured packet to standard oupout with
>>> epoch time formation. The command I used is:
>>>
>>>  tshark -i 1 -n -f "udp port 8080" -t e -T fields -e frame.time -e
>>> XXXXXX > /tmp/my_tshark_data.$(date +%F-%T)
>>>

Hi Ian

I suppose you just want an outputfile with the timestamp (I don't know, 
what you mean by "-e XXXXXX")

tshark:
$ tshark -i 3 -T fields -e frame.time > date

The output file contains only the timestamp: 
$ more date
Jul  7, 2008 21:24:09.306763000
Jul  7, 2008 21:24:12.089914000 etc..

date:
Next you can use date to convert the timestamp to the epoch timestamp:
$ date -f date +%s > epoch

$ more epoch
1215458649
1215458652 etc...

Hope this helps
Joan

Prev by Date: Re: [Wireshark-users] How to filter out last 1000 frames in a quick way
Next by Date: Re: [Wireshark-users] Capturing Giant Packets Only
Previous by thread: Re: [Wireshark-users] PPI header capture through rpcap not working
Next by thread: [Wireshark-users] Question about tshark protocol hierarchy statistics (phs)
Index(es):
- Date
- Thread