First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Extracting timestamp in lua

  • retag add tags

I am trying to extract the timestamp so I figure the following fields:

abs_time, utc_time, cls_time, rel_time

are containing the timestamp I need. Unfortunately, I got errors. According to Wireshark's official website:

https://www.wireshark.org/docs/wsdg_h...

One can extract those fields from the "pinfo" variable. 

local function init_listener()
     local tap = Listener.new("ip",filter_packets)
     local ipid = Field.new("ip.id")
     function tap.reset()
         packets = 0;
     end
     function tap.packet(pinfo,tvb,ip)    
         -- as requested, double check with the previous code results. 

         -- tried this didn't worked.. 
         local val1 = pinfo.abs_time

         -- also want to extract those in the same manner .. 
         local val2 = pinfo.utc_time
         local val3 = pinfo.cls_time
         local val4 = pinfo.rel_time
         -- omitted
     end
     function tap.draw()
         print("Applying filter: " .. "\"" .. filter_packets .. "\"",packets)
     end
 end

So I have two questions :

  1. Is it true that those fields hold the timestamp of a packet header?
  2. How do I extract those fields in lua script?
linuxbegginer's avatar
7
linuxbegginer
asked 2022-06-19 20:09:48 +0000, updated 2022-06-19 20:11:38 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

The Pinfo names are abs_ts, rel_ts, delta_ts and delta_dis_ts.

  print ("When the packet was captured.", pinfo.abs_ts)
  print ("Number of seconds passed since beginning of capture.", pinfo.rel_ts)
  print ("Number of seconds passed since the last captured packet.", pinfo.delta_ts)
  print ("Number of seconds passed since the last displayed packet.", pinfo.delta_dis_ts)

(Leaving this original part of the answer for future reference about reading columns)
You would need to adjust the syntax to read from the columns (pinfo.cols.info) (See 11.5.3.3. Example) but even then it only seems to work with text columns like protocol and info.

Can you get what you need from the frame protocol fields such as frame.time or frame.time_epoch?

Chuckc's avatar
3k
Chuckc
answered 2022-06-20 14:14:55 +0000, updated 2022-06-20 14:53:42 +0000
edit flag offensive 0 remove flag delete link
more

Comments

pinfo.cols.abs_time This one returns just a string called "abs_time" which isn't helping... I don't know if frame.time or frame.time_epoch are fields that I am looking for (is it timestamp?)

linuxbegginer's avatar linuxbegginer (2022-06-20 15:11:12 +0000) edit
more
  • delete

The columns return the column name when there is nothing available to return.
Try the pinfo "field" pinfo.abs_ts.

Chuckc's avatar Chuckc (2022-06-20 15:21:37 +0000) edit
more
  • delete

Thanks Chuckc :)

linuxbegginer's avatar linuxbegginer (2022-06-20 15:43:35 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer