Hi,
I'm trying to read file and save content to text file with epoch time.
I'm executing : tshark -r filename.cap -t e -F k12text -w tmp.txt, however the exported time stamp is utc time.
Please assist.
Tshark version 3.4.0
-t only affects the timestamp in the summary lines.
~$ tshark -r ./tcptst_out.pcap
1 0.000000 104.18.91.105 192.168.200.135 TCP 443 → 18082 [FIN, ACK] Seq=1 Ack=1 Win=68 Len=0
~$ tshark -r ./tcptst_out.pcap -t e
1 1592016429.488229 104.18.91.105 192.168.200.135 TCP 443 → 18082 [FIN, ACK] Seq=1 Ack=1 Win=68 Len=0
~$ tshark -r ./tcptst_out.pcap -t u
1 02:47:09.488229 104.18.91.105 192.168.200.135 TCP 443 → 18082 [FIN, ACK] Seq=1 Ack=1 Win=68 Len=0
tshark man page:
-t a|ad|adoy|d|dd|e|r|u|ud|udoy
Set the format of the packet timestamp printed in summary lines. The format can be one of:
This is where the timestamp is set when writing -F k12text:
ms = rec->ts.nsecs / 1000000;
ns = (rec->ts.nsecs - (1000000*ms))/1000;
tmp = gmtime(&rec->ts.secs);
if (tmp == NULL)
snprintf(p, 90, "+---------+---------------+----------+\r\nXX:XX:XX,");
else
strftime(p, 90, "+---------+---------------+----------+\r\n%H:%M:%S,", tmp);
wl = strlen(p);
p += wl;
left -= wl;
wl = snprintf(p, (gulong)left, "%.3d,%.3d %s\r\n|0 |", ms, ns, str_enc);
~$ cat tmp.txt +---------+---------------+----------+ 02:47:09,488,229 ETHER |0 |ec|f4|bb|4a|4e|de|f0|9f|c2|df|16|1f|08|00|45|00|00|28|ad|4a|40|00|3c|06|44|da|68|12|5b|69|c0|a8|c8|87|01|bb|46|a2|02|c6|0f|66|bc|e2|7e|d5|50|11|00|44|cc|a2|00|00|00|00|25|c4|b8|3b|
any option to get the time in epoch time?
Would require a custom build that modifies wiretap/k12text.l.
Or post-process the output file with a script to translate time format.
Comments
Can you update the question with the output of
tshark -v.appended :)
Thanks! I'm seeing the same thing with 4.0.6. Will look at code to see why.
Does it has to be k12text?
Otherwise you can use this way to extract the epoch time and only the other fields you require:
tshark -r filename.cap -T fields -e frame.time_epoch -e ...